-
-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hashed unsafe-inline support? #67
Comments
Thanks for bringing this up James! At the moment no, but I agree that it would be a good addition. For hashes we'd need to have this addon run after minification. Do you know if ember-cli has support for specifying the order of addons? I don't know much about addon <-> addon communication, but unless there is a way of specifying the order it would be better if this addon had an API for setting the hash. Nonces (https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-nonce-usage) would be easier to implement, but won't work since they must be randomly generated for each request (ember is often hosted statically). |
This is also a requirement for |
Any update on this issue? It would be really helpful to have a way to add hashes to the configuration at build time. |
It's still a work in progress. But slow progress to be honest. v2 should lay the foundation for this feature. I hope that implementation is straight forward afterwards. But I don't have much time to work on this addon currently. So it will take some time. I would appreciate any help. If you have some time to help implementing this feature or the missing pieces to get v2 stable, please reach out to me on Discord to coordinate. |
unsafe-inline
isn't sufficient to allow<script>...</script>
on the page. CSP 2 requires those tags to have a hash of their contents. See https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usageIs there a way for this library to automatically calculate the hashes? Or should addons that use
contentFor
do the hashing and add the results toconfig.contentSecurityPolicy['script-src']
? If the latter, could this addon expose an API to make that easier?See also pgrippi/ember-cli-google-analytics#21
The text was updated successfully, but these errors were encountered: