升级 ember 应用程序时出现安全问题
Security problems in upgrading ember application
我有一个 ember/ember-cli 应用程序,我要从 1.10 升级到 1.12。此应用程序使用 API 在开发中的端口 8000 上运行。我有以下 environment.js:
module.exports = function(environment) {
var ENV = {
modulePrefix: 'myapplication',
environment: environment,
baseURL: '/',
locationType: 'auto',
EmberENV: {
FEATURES: {
}
},
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self'",
'font-src': "'self'",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
},
APP: {}
};
if (environment === 'development') {
ENV.APP.API_NAMESPACE = '';
ENV.APP.LOG_VIEW_LOOKUPS = true;
ENV.contentSecurityPolicy['connect-src'] = "http://localhost:8000";
}
if (environment === 'test') {
// [snipped]
}
if (environment === 'production') {
// [snipped]
}
return ENV;
};
所以这以前有效,但现在,当向 API 发出请求时,它正在向端口 4200 发出,因此返回未找到。
crossdomain.xml有以下内容:
<site-control permitted-cross-domain-policies="none"/>
但将其更改为 "all" 没有帮助。好像ember-cli-content-security-policy已经从0.3.0更新到0.4.0了,顺带一提。
编辑
代理 ember serve --proxy http://localhost:8000 后出现以下错误:
Content Security Policy violation:
{
"csp-report":{
"document-uri":"http://localhost:4200/",
"referrer":"",
"violated-directive":"connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report",
"effective-directive":"connect-src",
"original-policy":"default-src 'none'; script-src 'self' localhost:35729 0.0.0.0:35729; font-src 'self'; img-src 'self'; style-src 'self'; media-src 'self'; connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; report-uri http://0.0.0.0:4200/csp-report;",
"blocked-uri":"http://localhost:4200/myapp",
"source-file":"http://localhost:4200/assets/vendor.js",
"line-number":9827,
"column-number":10,
"status-code":200
}
}
我认为您需要添加多台主机,一台用于端口:8000 和端口:4200
我有一个 ember/ember-cli 应用程序,我要从 1.10 升级到 1.12。此应用程序使用 API 在开发中的端口 8000 上运行。我有以下 environment.js:
module.exports = function(environment) {
var ENV = {
modulePrefix: 'myapplication',
environment: environment,
baseURL: '/',
locationType: 'auto',
EmberENV: {
FEATURES: {
}
},
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self'",
'font-src': "'self'",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
},
APP: {}
};
if (environment === 'development') {
ENV.APP.API_NAMESPACE = '';
ENV.APP.LOG_VIEW_LOOKUPS = true;
ENV.contentSecurityPolicy['connect-src'] = "http://localhost:8000";
}
if (environment === 'test') {
// [snipped]
}
if (environment === 'production') {
// [snipped]
}
return ENV;
};
所以这以前有效,但现在,当向 API 发出请求时,它正在向端口 4200 发出,因此返回未找到。
crossdomain.xml有以下内容:
<site-control permitted-cross-domain-policies="none"/>
但将其更改为 "all" 没有帮助。好像ember-cli-content-security-policy已经从0.3.0更新到0.4.0了,顺带一提。
编辑
代理 ember serve --proxy http://localhost:8000 后出现以下错误:
Content Security Policy violation:
{
"csp-report":{
"document-uri":"http://localhost:4200/",
"referrer":"",
"violated-directive":"connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report",
"effective-directive":"connect-src",
"original-policy":"default-src 'none'; script-src 'self' localhost:35729 0.0.0.0:35729; font-src 'self'; img-src 'self'; style-src 'self'; media-src 'self'; connect-src http://localhost:8000 ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; report-uri http://0.0.0.0:4200/csp-report;",
"blocked-uri":"http://localhost:4200/myapp",
"source-file":"http://localhost:4200/assets/vendor.js",
"line-number":9827,
"column-number":10,
"status-code":200
}
}
我认为您需要添加多台主机,一台用于端口:8000 和端口:4200