Search code examples
ember.jsember-dataember-clicontent-security-policy

Security problems in upgrading ember application

I have an ember/ember-cli application that I am upgrading from 1.10 to 1.12. This application uses an API that runs on port 8000 in development. I have the following environment.js:

module.exports = function(environment) {
  var ENV = {
    modulePrefix: 'myapplication',
    environment: environment,
    baseURL: '/',
    locationType: 'auto',
    EmberENV: {
      FEATURES: {
      }
    },
    contentSecurityPolicy: {
      'default-src': "'none'",
      'script-src': "'self'",
      'font-src': "'self'",
      'img-src': "'self'",
      'style-src': "'self'",
      'media-src': "'self'"
    },
    APP: {}
  };

  if (environment === 'development') {
    ENV.APP.API_NAMESPACE = '';
    ENV.APP.LOG_VIEW_LOOKUPS = true;
    ENV.contentSecurityPolicy['connect-src'] = "http://localhost:8000";
  }

  if (environment === 'test') {
    // [snipped]
  }

  if (environment === 'production') {
    // [snipped]
 }

  return ENV;
};

So this worked before, but now, when a request is made to the API, it is being made to port 4200, so returning as not found.

The crossdomain.xml has the following:

<site-control permitted-cross-domain-policies="none"/>

but changing this to "all" didn't help. It seems that ember-cli-content-security-policy has been updated from 0.3.0 to 0.4.0, incidentally.

EDIT After proxying ember serve --proxy http://localhost:8000 I get the following error:

Content Security Policy violation: 
{  
   "csp-report":{  
      "document-uri":"http://localhost:4200/",
      "referrer":"",
      "violated-directive":"connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report",
      "effective-directive":"connect-src",
      "original-policy":"default-src 'none'; script-src 'self' localhost:35729 0.0.0.0:35729; font-src 'self'; img-src 'self'; style-src 'self'; media-src 'self'; connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; report-uri http://0.0.0.0:4200/csp-report;",
      "blocked-uri":"http://localhost:4200/myapp",
      "source-file":"http://localhost:4200/assets/vendor.js",
      "line-number":9827,
      "column-number":10,
      "status-code":200
   }
}
Solution

  • I believe you need to add multiple hosts, one for port: 8000 and port: 4200