Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.0.0-5]+ A meta tag is added even if only header is requested as delivery method #259

Open
boris-petrov opened this issue Nov 14, 2021 · 6 comments
Open

[2.0.0-5]+ A meta tag is added even if only header is requested as delivery method #259

boris-petrov opened this issue Nov 14, 2021 · 6 comments
Labels
bug

Comments

@boris-petrov
Copy link

I updated ember-cli-content-security-policy from 2.0.0-4 to 2.0.0 and my HTML validator warned me of the following - Potentially bad value for attribute “content” on XHTML element “meta”: Invalid base64-value (should be multiple of 4 bytes: 7).. No idea what that error means but it lead me to finding that since upgrading a meta tag with my CSP settings has appeared. My settings contain delivery: ['header']. The same happens when I try 2.0.0-5. Downgrading to 2.0.0-4 fixes the issue.

cc @jelhan
@jelhan
Copy link
Collaborator

jelhan commented Nov 14, 2021

Hello @boris-petrov,

Thanks for reporting. I have two questions to verify that it's a bug:

  1. What build environment have you used?
  2. Could you please confirm that the <meta> tag is present in index.html and not in tests/index.html?

Asking because it's expected that CSP is delivered through meta tag regardless of delivery configuration in tests.

This shouldn't have been changed from 2.0.0-4 to 2.0.0-5 though. So very likely what you are seeing is a bug. To debug it would be helpful if you could share a reproduction or a lust of steps to reproduce.

Best jelhan

@jelhan jelhan added the bug label Nov 14, 2021
@boris-petrov
Copy link
Author

@jelhan - thanks for the support!

  1. test environment.
  2. I confirm that a meta tag is present in both index.html and tests/index.html. With version -4 the latter is true however the former not - i.e. a meta tag was NOT in index.html. That is what my integration tests are using and that's what the validator checks.

Is that enough information? Do you still need a reproduction?

@jelhan
Copy link
Collaborator

jelhan commented Nov 15, 2021

Thanks a lot. That was enough information to reproduce.

Setup test app

  • Create a new project using Ember CLI 3.28.3: ember new test-app
  • Install Ember CLI Content Security Policy: ember install ember-cli-content-security-policy
  • Add configuration to deliver CSP through meta tag by creating a config/content-security-policy.js file with the following content: 
    module.exports = function() {
  return {
    delivery: ['header']
  };
}

Build for development environment

ember build
  • index.html does not contain a CSP meta tag.
  • tests/index.html contains a CSP meta tag.

This result is as expected.

Build for test environment

ember build --env test
  • index.html contains a CSP meta tag.
  • tests/index.html contains a CSP meta tag.

I can confirm that index.html does not contain a CSP meta tag if I downgrade to 2.0.0-4.

To be honest, I'm not sure which result is expected if building for test environment. The CSP meta tag is injected explicitly for test environment to ensure consistent results for the different ways to execute tests: ember test, ember test --server and by opening http://localhost:4200/tests in browser.

Would like to understand more about your use case. Does that CSP meta tag cause issues for you beside that confusing HTML validation error?

@boris-petrov
Copy link
Author

boris-petrov commented Nov 15, 2021 via email
edited
Loading

@jelhan
Copy link
Collaborator

jelhan commented Nov 16, 2021

I see that it would be better to only ignore delivery configuration for tests/index.html. I'm wondering if we can achieve that without introducing the bug #204 again following these algorithm:

  1. Inject CSP meta tag in head slot if delivery contains meta. This would inject it both in index.html and tests/index.html.
  2. Inject CSP meta tag in test-head if it hasn't been injected in head already. This would inject in tests/index.html.

We need to ensure that it can not be injected in both. That's not that easy as environment used to calculate configuration in head and test-head is different. So we can not rely on delivery configuration in test-head. But if head is always called before test-head, we could store that information in a class property. 🤔

Not sure when I will have time to try this approach. If you have some time for open source: a pull request is highly welcome.

@boris-petrov
Copy link
Author

Thanks for considering this as an issue and taking the time to explain what must be done! I also probably won't have the time to check it out now but let's leave the issue open so it's tackled at some point. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@boris-petrov @jelhan