Roadmap for v2.0

[jelhan]

Disclaimer: This is only a proposal as I'm not the maintainer of this repo.

As you might have noticed I'm working on an incremental refactoring of the configuration of this addon. It makes sense to ship all changes in one release to avoid unnecessary noice.

I would suggest that next release includes these features:

• Move configuration to ember-cli-content-security-policy namespace, introduce an explicit enabled option and reword other options. (refactor configuration #92, Refactor configuration to use ember-cli-content-security-policy (instead of contentSecurityPolicy) #94)
• Move configuration to config/content-security-policy.js. (options should not come from config/env, rather the brocfil. These are build-server concerns not run-time concerns #30, Allow configuration to be specified in ember-cli-build.js #97, move config to config/content-security-policy.js #104)
• Policy object should be replaced by application configuration not merged. (Policy object should not be merged but replaced by application configuration #99, Avoid merging policies in build time configuration #101)

There are some pending feature requests that could be implemented having sensitive defaults without introducing a breaking change if shiped together with configuration changes:

• Add an assertion to fail tests if CSP is violated. (Add ability to fail application / addon tests when a CSP violation is detected. #91)
• Add CSP header in FastBoot if addon is enabled and delivery includes header. (set CSP header in FastBoot #113)

I suggest shipping all of them with the next release.

Also there are some bugs/regressions introduced by refactoring that must be fixed before release:

• CLI command is not using refactored configuration. (CLI command is not using refactored configuration #98, Update CLI command to support config from config/content-security-policy.js and fall back to legacy config/environment.js config. #103)
• Runtime configuration should not be injected if not needed (Runtime configuration should not be injected if application does not have FastBoot dependency #116, inject runtime config only if FastBoot dependency exists #121)
• Throws in FastBoot if disabled or delivery does not include header (Throws in FastBoot if disabled or delivery does not include header #117, inject instance initializer only if required #118)
• Ensure consistent test results by always using test environment for CSP affecting tests (Ensure consistent test results by always using test environment for CSP affecting tests #119, consistent test results regardless of environment #122)

Steps to be done after release:

• Update Ember CLI docs for Content Security Policy (Updates Content Security Policy documentation for ember-cli-content-security-policy@2.x ember-learn/cli-guides#146)

This would be a great foundation for jelhan/ember-style-modifier#11.

[sandstrom]

Sounds good! Ping me or rwjblue if you want us to review or merge something.

You can also ask rwjblue for repo access, perhaps he can give you (but that would be totally up to him). However, even if you'd have repo access I still think it would be vice to have another pair of eyes look through any code before it's merged.

[rwjblue]

OK, just merged #101 which I think ticks a couple of the boxes above.

[jelhan]

I think this will be a v2.0 release cause of #87. It has upgraded Ember CLI and therefore requires a newer node version. I think we should support legacy configuration nevertheless but make sure that we name the correct until version in deprecation message:

ember-cli-content-security-policy/index.js

Lines 257 to 264 in 9cd237f

	ui.writeWarnLine(
	'Configuring ember-cli-content-security-policy using `contentSecurityPolicy`, ' +
	'`contentSecurityPolicyHeader` and `contentSecurityPolicyMeta` keys in `config/environment.js` ' +
	'is deprecate and will be removed in v2.0.0. ember-cli-content-security-policy is now configured ' +
	'using `ember-cli-build.js`. Please find detailed information about new configuration options ' +
	'in addon documentation at https://github.com/rwjblue/ember-cli-content-security-policy/blob/master/DEPRECATIONS.md.',
	!runConfig.contentSecurityPolicy || !runConfig.contentSecurityPolicyHeader || !runConfig.contentSecurityPolicyMeta
	);

[rwjblue]

Sounds good, sorry for making things a bit more difficult here @jelhan

[rwjblue]

OK, how are things looking now @jelhan? I think the only checklist item left is:

Add CSP header in FastBoot if addon is enabled and delivery includes header.

Is that right?

[jelhan]

OK, how are things looking now @jelhan? I think the only checklist item left is:

Add CSP header in FastBoot if addon is enabled and delivery includes header.

Is that right?

Yes.

We might also need some more testing on real world applications to avoid regressions. It was a major refactoring and the test coverage isn't that high. Maybe a beta release would be a good idea.

[rwjblue]

Maybe a beta release would be a good idea.

Ya, totally makes sense.

[jelhan]

We should also update the Ember CLI docs which includes a section on Content Security Policy: https://cli.emberjs.com/release/basic-use/deploying/#contentsecuritypolicy It seems to miss the install step though.

[rwjblue]

We should also update the Ember CLI docs which includes a section on Content Security Policy: cli.emberjs.com/release/basic-use/deploying/#contentsecuritypolicy It seems to miss the install step though.

Ya, probably ignores the install step because it was originally authored when the addon was installed by default?

[jelhan]

Added #116 as another release blocker. Have a look at #113 (comment) for background.

[jelhan]

Sorry for the long delay here. Created three merge requests the last days: #120, #121, #122 I think we are ready to do a first release candidate as soon as these ones are merged.

[jelhan]

@rwjblue Everything should be ready for a 2.0.0-rc.0 release. As far as I know you are the only one who can do releases, aren't you?

[rwjblue]

FYI - Added @jelhan to npm...

[pragatheeswaranshf]

Any tentative date for this release? @jelhan

[jelhan]

Any tentative date for this release? @jelhan

Hopefully this week. Need to get #134 merged in before. Thanks to @reibad we were able to fix some more bugs before first release candidate.

[jelhan]

Just released the first release candidate for upcoming 2.x: v2.0.0-0

[jelhan]

During the beta period I noticed some problems related to developer experience, which I would like to fix before the first stable release. I created a milestone to track the work needed to be done before a stable v2 release: https://github.com/rwjblue/ember-cli-content-security-policy/milestone/1 PRs are welcome as always. 😄

[sandstrom]

@jelhan I personally don't think any of the three issues listed under that milestone is a blocker for a v2 release.

[jelhan]

I'm very sorry that it takes so long until getting a stable release out.

I agree that they aren't strictly necessary cause even without it's an improvement compared to latest v1 release. But I would consider #152 a blocker. Just added it to the milestone.

To be honest I would prefer rather to wait a little bit longer and fix everything before doing a stable v2 release rather than doing the release after #152. Mostly cause it has already been such a long time. I would like to combine a stable release with some marketing. And therefore providing a good developer experience is required.

I was rewriting the fragile test suite based on ember-cli-addon-tests in the last months. The unstable and slow tests slowed down development a lot. I hope that I land the changes within this week. Everything working locally. Just need to polish it a little bit.

I expect to be able to finish the other open tasks in v2 milestone soon after. I hope that we can do a stable v2 release containing all of them within this month. Decided to focus my open source activities on this addon to finally get it done.

[jelhan]

Getting v2.0 out of the door is taking way too long. I also haven't had the time to follow up. And I guess plans were to ambitious for available time.

I released v2.0.0-5 yesterday. All known bugs are fixed. Main target should be to get v2.0.0 out of the door. To ensure that I like to propose that v2.0.0-5 is released as v2.0.0 in two weeks unless a bug is reported.

[jelhan]

No new bugs were reported. Releasing v2.0.0-5 as v2.0.0. After way too long time this issue can be closed.