Content security policy violation

[musaffa]

This line requires inline script execution in production mode and shows error in the browser console. The error can be silenced by enabling 'unsafe-inline' to script-src in content security policy but this will make the whole application unsafe.

[joshsmith]

@musaffa I've mostly turned off CSP in my Ember apps, but do you have a good suggestion for how to handle this?

[musaffa]

The addon may need a rewrite or nonce feature of CSP can be utilized to white list this specific script.

[joshsmith]

@musaffa do you have any interest in doing a PR for either:

• making this work with CSP?

or

• adding some docs to the README for using nonce to whitelist?

[musaffa]

Sure. I will look into it.

[musaffa]

@joshsmith The current implementation heavily relies on inline scripting as it returns a script tag using contentFor. Using nonce is a no-go, because nonce is a random number which should be inserted in script-src on every page request. The random number has to be different on every page request. A relatively simpler option is to include SHA hash of the script itself in the script-src but it is still very complicated.

I've ended up with a much simpler manual implementation:

// application/route.js

actions: {
  loading(transition) {
    this._super(...arguments);

    Pace.start();

    transition.promise.finally(function() {
      Pace.stop();
    });
  }
}

I've then imported pace.js in ember-cli-build.js and a pace theme in the stylesheet.

Configuration options can also be inserted into Pace like Pace.start(customConfig). Going this way may need a major rewrite of the addon.

[joshsmith]

Is there really no way in CSPs to be able to specify a particular inline script being injected like this one?

I unfortunately do not have time personally right now to put forth such a massive rewrite (and others probably would want something to say about that), but I'd be happy to see a PR if you wanted to attempt a major version bump branch.

[musaffa]

Nonce and SHA hash are ways to do this job. But their implementations can be a bit difficult.

My custom implementation is way simpler and does the job that I need. I will need to see if the code can be extracted for the addon.

[joshsmith]

@musaffa you're a 🍑 ! Thanks for looking into it.

[SamiSammour]

@musaffa Thanks a lot dude, you saved my day

[joshsmith]

@musaffa any luck on being able to extract out for the addon?

[musaffa]

@joshsmith Not yet.