-
-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Content-Security-Policy warnings with ember-electron #349
Comments
It should be possible to run w/o needing to allow all of those "unsafe" things, but it depends a lot on your code and its dependencies. For example, I needed one because I use plotly.js, which currently needs this. |
@gossi Have you learned more about this? Do you have any suggestions for how we could improve the ember-electron documentation or code in this regard? |
No I haven't really. If there is some dependency (or transient dependency) it's basically fishing for the unknown for it and it is out of the responsibility of ones code, not much we can do about it. What I can say for sure is: ember-cli-hot-loader doesn't work with ember-electron most basically because it's eval'ing in the new javascript send in |
I assume you mean that it doesn't work when using strict CSPs, right? (It could "work" with lax / insecure settings.) I guess what I'm trying to figure out is what the next steps are for resolving this issue -- do we just need improved docs (with which I feel qualified to help) or is there something in the code? |
It didn't work with lax settings for me, I enabled Regarding your original question, I have no idea what can be done code-wise to tackle this. For documentation I think these things help:
Does that help? |
@gossi Thanks for your reply; that helps clarify a little bit, but I still don't quite understand what constitutes "working" and "not working" in this context (e.g. if the app runs correctly but the security warnings appear in dev is it "working" or "not working"?) As for documentation, did you see the security FAQ page about this? It shows how to set up Also, I'm not entirely sure what is specific to If I understand you correctly, these are some of the current pain points:
|
I set up e-csp correctly using I had to add For Anyway you summary nails it 👍 |
unsafe-eval is most likely down to using ember-auto-import, you can configure it to not use eval by passing the forbidEval options. https://github.com/ef4/ember-auto-import#customizing-build-behavior My CSP ended up looking like this // ember-cli-content-security-policy
contentSecurityPolicy: {
"default-src": ["'none'"],
"script-src": ["'self' 'unsafe-inline' http://localhost:7020"],
"font-src": ["'self'"],
"connect-src": ["'self'"],
"img-src": ["'self'"],
"style-src": ["'self'"],
"media-src": ["'self'"],
},
contentSecurityPolicyMeta: true, I had to manually add the http://localhost:7020 to get the live reload script to load. |
@evoactivity this setup works to remove the warnings for you and you get a working app when you build for production? |
I'll let you know in the next day or so, I'm still getting a new project setup and have not tried a production build just yet. |
@rwwagner90 I've just tried |
@evoactivity nice! Would you be open to submitting a PR adding this info to the docs? |
@evoactivity does running |
False alarm, I had to remove |
@evoactivity can you confirm that |
Yeah, we load I don't use CSP myself, so I can't really give any more specific info. |
Sorry for not replying sooner @rwwagner90, I've been away from my project using this for the last week or so, I should be back on it today and I'll let you know if I see the same behaviour or find a way around it. |
@bendemboski so we probably need to allow both |
I think you can for all practical purposes count on the testem port being So I think you could get away with that. The only place I know of where we know the testem URL/port for sure (rather than assuming we're using testem's default port) is here, but that's running in the main process at runtime. Maybe if we rewrite So yeah, it's complicated™️ but you could probably get away with just assuming |
@bendemboski hmm, no luck with this: contentSecurityPolicy: {
'default-src': ["'none'"],
'script-src': [
'http://localhost:7020',
'http://localhost:7357',
'http://testemserver',
"'self'",
"'unsafe-inline'"
],
'font-src': ["'self'"],
'connect-src': ["'self'"],
'img-src': ['data:', "'self'"],
'style-src': ["'self'", "'unsafe-inline'"],
'media-src': ["'self'"]
},
contentSecurityPolicyMeta: true, |
I haven't CSP'ed in a while, but don't you see messages about the blocked content in the console, or can't you enable a warning mode or something to get the browser to tell what it's blocking and why? |
@bendemboski I am not sure. I think typically, when running the code in the browser, you get something in the console about it, but not sure if the same is true for Electron. I think it may not know it's blocking anything, since it's only blocking testem stuff, and the part it is blocking is only giving control back to the terminal. |
I'd be quite surprised if Electron suppressed that kind of console warning...if you run |
@bendemboski yeah, I did that yesterday and got all the ones I could fixed. I think the only ones not fixable are the |
With this PR #695 everything works with this config: contentSecurityPolicy: {
'default-src': ["'none'"],
'script-src': [
'http://localhost:7020',
'http://localhost:7357',
'http://testemserver',
"'nonce-ember-electron-shim-head'",
"'nonce-ember-electron-shim-footer'",
"'nonce-ember-electron-shim-test-head'",
"'self'",
"'unsafe-inline'"
],
'font-src': ["'self'"],
'frame-src': ['http://localhost:7357', 'http://testemserver/', "'self'"],
'connect-src': ["'self'"],
'img-src': ['data:', "'self'"],
'style-src': ["'self'", "'unsafe-inline'"],
'media-src': ["'self'"]
},
contentSecurityPolicyMeta: true,
``` |
Ember CLI Content Security Policy should inject the source required to run tests with testem and to support Ember CLI live reload automatically. I'm wondering why this is not working for Ember Electron apps. Is Ember Electron doing something special in regards to this two features? You can find tests for both here:
Did you tested with latest pre-release of Ember CLI Content Security Policy? This is currently Sadly there is no good work-a-round for scripts injected by an addon in a |
@jelhan yeah, we have some hacks to make testem work. @bendemboski knows more than I do, but essentially since electron doesn't run a server and runs from |
In case anyone else stumbles upon this nowadays, I want to make a note that |
The recent releases of electron fixed a bunch of XSS vulnerabilities so I also updated my verison of
electron-prebuilt-compile
to2.0.0
. Which introduced a couple of security warnings, which I was able to fix, except one for CSP with ember-electron.In the document about security for electron they mention a restricted policy for script tags. As suggested I installed the ember-cli-content-security-policy addon. It's great, it adds all the relevant live-reload related urls and stuff. By default it adds them as header when running
ember s
but fails adding this withember electron
and the serve protocol. It can be configured to use a<meta>
element instead.What I find out, regarding
ember-electron
. In order to make it work, you must setscript-src
to include'unsafe-inline'
because of the<script>
element that is added to the body. Second is I had to add'unsafe-eval'
toscript-src
to make the actual ember code work in electron. I'm sceptical about this, whether I turned something wrong.What I ended up with, was setting a CSP to a value that shouldn't be set as by the security guidelines of electron.
I would wish for some guidance on this topic, because we as developers are quick to lower the barriers to make things work but actually break security with that.
The text was updated successfully, but these errors were encountered: