Ember-simple-auth: Content Security Policy violation


#1

I played with ESA dummy-app and plugged it to a locally created Rais API which uses doorkeeper gem. So the only changes I made in the dummy app:

  1. I replaced the existing googleClientID value with the one I got after declaring dummy app at Rails API
  2. I changed apiHostvalue to : 'http://localhost:3000' in environement.js.
  3. I replaced the URI in login-form component in #authenticateWithGoogleImplicitGrant action as follows:
authenticateWithGoogleImplicitGrant() {
      let clientId = config.googleClientID;
      let redirectURI = `${window.location.origin}/callback`;
      let responseType = `token`;
      // let scope = `email`;
      window.location.replace(`http://localhost:3000/oauth/authorize?`
                            + `client_id=${clientId}`
                            + `&redirect_uri=${redirectURI}`
                            + `&response_type=${responseType}`
                            //+ `&scope=${scope}`
      /*window.location.replace(`https://accounts.google.com/o/oauth2/v2/auth?`
                            + `client_id=${clientId}`
                            + `&redirect_uri=${redirectURI}`
                            + `&response_type=${responseType}`
                            + `&scope=${scope}`*/
      );
    }

After logging in to the dummy app and clicking on protected page link, I have the list of posts displayed (I had to generate a scaffold on the Rails API side for posts resources), but in the Termnal I have a weird message:

GET /assets/dummy.js 304 0.653 ms - -
Content Security Policy violation:

{
  "csp-report": {
    "blocked-uri": "http://localhost:3000",
    "document-uri": "http://localhost:4200/",
    "original-policy": "style-src http://localhost:4200 'unsafe-inline'; default-src 'none'; script-src http://localhost:4200 http://localhost:7020 http://0.0.0.0:7020 http://undefined:7020; font-src http://localhost:4200; connect-src http://localhost:4200 ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200; img-src http://localhost:4200; media-src http://localhost:4200; report-uri http://localhost:4200/csp-report",
    "referrer": "",
    "violated-directive": "connect-src http://localhost:4200 ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200"
  }

In the Rails API logs everything seems to be OK:

app/controllers/posts_controller.rb:7:in `index'
Started GET "/posts" for 127.0.0.1 at 2018-01-28 15:35:32 +0100
Processing by PostsController#index as application/vnd.api+json
  Post Load (0.2ms)  SELECT "posts".* FROM "posts"
[active_model_serializers] Rendered ActiveModel::Serializer::CollectionSerializer with ActiveModelSerializers::Adapter::JsonApi (6.44ms)
Completed 200 OK in 29ms (Views: 26.2ms | ActiveRecord: 1.0ms)

Why so ? Is there any setting in dummy-app side ? Thank you