Absolutely agreed. I would love to have more help with documentation.
What is standing in anyones way? All of ember-cli’s source is freely available.
This is precise what the ARCHITECTURE.md in the root of the repo is intended for.
As mentioned in the addon’s readme (and in that PR) the addon itself is definitely more of an educational thing, but to enable CSP at all required many changes in ember-cli. The actual changes needed so that this simple educational addon could be used were done in Do not use inline script tags. by rwjblue · Pull Request #2058 · ember-cli/ember-cli · GitHub.
Nothing changes in the way you use Ember CLI, you now get errors/warnings in your console if you violate the CSP policy (which has a sane default value). As far as CSP documentation, many many sites and tutorials exist to explain this, not sure we should reinvent the wheel here.
The CHANGELOG and release notes should be read by anyone upgrading an application.
CSP is NOT a silver bullet to prevent you from having to deal with XSS attacks. It is just one more line of defense. As of Bump CSP addon version. by rwjblue · Pull Request #2076 · ember-cli/ember-cli · GitHub, both the normal header and X-* header is sent by the addon.
Awesome! Lets stop talking about an extremely negative blog post and instead focus on your pending PR fixing things up!
We have ALWAYS been both grateful and supportive of documentation efforts, and will continue to do so.