hashed unsafe-inline support?

[jamesarosen]

unsafe-inline isn't sufficient to allow <script>...</script> on the page. CSP 2 requires those tags to have a hash of their contents. See https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

Is there a way for this library to automatically calculate the hashes? Or should addons that use contentFor do the hashing and add the results to config.contentSecurityPolicy['script-src']? If the latter, could this addon expose an API to make that easier?

See also pgrippi/ember-cli-google-analytics#21

[sandstrom]

Thanks for bringing this up James!

At the moment no, but I agree that it would be a good addition.

For hashes we'd need to have this addon run after minification. Do you know if ember-cli has support for specifying the order of addons?

I don't know much about addon <-> addon communication, but unless there is a way of specifying the order it would be better if this addon had an API for setting the hash.

---

Nonces (https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-nonce-usage) would be easier to implement, but won't work since they must be randomly generated for each request (ember is often hosted statically).

[jelhan]

This is also a requirement for ember-style-modifier to support SSR/Fastboot: jelhan/ember-style-modifier#11 Please especially note the design outlined in jelhan/ember-style-modifier#11 (comment). I'm planing to implement that feature soon.

[GCheung55]

Any update on this issue? It would be really helpful to have a way to add hashes to the configuration at build time.

[jelhan]

It's still a work in progress. But slow progress to be honest. v2 should lay the foundation for this feature. I hope that implementation is straight forward afterwards. But I don't have much time to work on this addon currently. So it will take some time.

I would appreciate any help. If you have some time to help implementing this feature or the missing pieces to get v2 stable, please reach out to me on Discord to coordinate.