I'm working on an ember addon leveraging PDF.js and ember-cli at version 2.18.2 and I'm noticing that PDF.js injects inline styles. The Content-Security-Policy-Report-Only header specifies style-src 'self'; which results in the logs of ember serve exploding with CSP violations being reported to the server via the report only uri with the following message:
Content Security Policy violation:
{
"csp-report": {
"document-uri": "http://localhost:4200/tests/index.html?testId=46b61910",
"referrer": "http://localhost:4200/tests/index.html",
"violated-directive": "style-src",
"effective-directive": "style-src",
"original-policy": "default-src 'none'; script-src 'self' localhost:7020 0.0.0.0:7020 undefined:7020; font-src 'self'; connect-src 'self' ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200; img-src 'self'; style-src 'self'; media-src 'self'; report-uri http://localhost:4200/csp-report;",
"disposition": "report",
"blocked-uri": "inline",
"line-number": 5270,
"column-number": 23,
"source-file": "http://localhost:4200/assets/test-support.js",
"status-code": 200,
"script-sample": ""
}
}
Seeing as the applications we're building that will consume this addon control their own CSP and allows for inline styling, I'd like to disable these warnings but having difficulty tracking down how to do so.
Is it possible to customize the report-only CSP in an Ember.js addon's dummy app?
Aucun commentaire:
Enregistrer un commentaire