Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CSP addon. #2190

Merged
merged 1 commit into from
Oct 4, 2014
Merged

Update CSP addon. #2190

merged 1 commit into from
Oct 4, 2014

Conversation

rwjblue
Copy link
Member

@rwjblue rwjblue commented Oct 4, 2014

Now uses Content-Security-Policy-Report-Only by default.

@rwjblue
Update CSP addon.
97b97a0 
Now uses `Content-Security-Policy-Report-Only` by default.
@rwjblue rwjblue mentioned this pull request Oct 4, 2014
Closed
rwjblue added a commit that referenced this pull request Oct 4, 2014
@rwjblue
Merge pull request #2190 from rwjblue/make-CSP-report-only-by-default
e0b4dc1 
Update CSP addon.
@rwjblue rwjblue merged commit e0b4dc1 into ember-cli:master Oct 4, 2014
@rwjblue rwjblue deleted the make-CSP-report-only-by-default branch October 4, 2014 21:12
@stefanpenner
Copy link
Contributor

:( lets aim to transition this from report back to strict at some future point in time when we have more edge cases worked out.

@rwjblue
Copy link
Member Author

rwjblue commented Oct 4, 2014

Agreed.

I believe that reporting is a step up from nothing, and is more likely to get folks to keep the addon enabled (because it doesn't break their apps).

@ahacking
Copy link

ahacking commented Oct 4, 2014

Definitely support report only. It also allows one to capture the CSP they
need through test coverage.

Now thinking out load that would be useful feature to be able to generate a
draft CSP based on the violations, it may well come to that as you don't
want to continuously report the same violation. Once the middleware is
getting violation reports it could merge the violation into the active CSP
and report the new computed CSP on the console.
On Oct 5, 2014 8:44 AM, "Robert Jackson" notifications@github.com wrote:

Agreed.

I believe that reporting is a step up from nothing, and is more likely to
get folks to keep the addon enabled (because it doesn't break their apps).


Reply to this email directly or view it on GitHub
#2190 (comment)
.

@Globegitter
Copy link
Contributor

I agree it's good to have it as report only to getting people used to what CSP and doesn't just break their app (even if it is just an addon) and once it's been out there for a while, people are more used to it and it has been improved in certain cases it can be switched back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rwjblue @stefanpenner @ahacking @Globegitter @abuiles