Ember-simple-auth: Content Security Policy violation

belgoros · January 28, 2018, 2:44pm

I played with ESA dummy-app and plugged it to a locally created Rais API which uses doorkeeper gem. So the only changes I made in the dummy app:

I replaced the existing googleClientID value with the one I got after declaring dummy app at Rails API
I changed apiHostvalue to : 'http://localhost:3000' in environement.js.
I replaced the URI in login-form component in #authenticateWithGoogleImplicitGrant action as follows:

authenticateWithGoogleImplicitGrant() {
      let clientId = config.googleClientID;
      let redirectURI = `${window.location.origin}/callback`;
      let responseType = `token`;
      // let scope = `email`;
      window.location.replace(`http://localhost:3000/oauth/authorize?`
                            + `client_id=${clientId}`
                            + `&redirect_uri=${redirectURI}`
                            + `&response_type=${responseType}`
                            //+ `&scope=${scope}`
      /*window.location.replace(`https://accounts.google.com/o/oauth2/v2/auth?`
                            + `client_id=${clientId}`
                            + `&redirect_uri=${redirectURI}`
                            + `&response_type=${responseType}`
                            + `&scope=${scope}`*/
      );
    }

After logging in to the dummy app and clicking on protected page link, I have the list of posts displayed (I had to generate a scaffold on the Rails API side for posts resources), but in the Termnal I have a weird message:

GET /assets/dummy.js 304 0.653 ms - -
Content Security Policy violation:

{
  "csp-report": {
    "blocked-uri": "http://localhost:3000",
    "document-uri": "http://localhost:4200/",
    "original-policy": "style-src http://localhost:4200 'unsafe-inline'; default-src 'none'; script-src http://localhost:4200 http://localhost:7020 http://0.0.0.0:7020 http://undefined:7020; font-src http://localhost:4200; connect-src http://localhost:4200 ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200; img-src http://localhost:4200; media-src http://localhost:4200; report-uri http://localhost:4200/csp-report",
    "referrer": "",
    "violated-directive": "connect-src http://localhost:4200 ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200"
  }

In the Rails API logs everything seems to be OK:

app/controllers/posts_controller.rb:7:in `index'
Started GET "/posts" for 127.0.0.1 at 2018-01-28 15:35:32 +0100
Processing by PostsController#index as application/vnd.api+json
  Post Load (0.2ms)  SELECT "posts".* FROM "posts"
[active_model_serializers] Rendered ActiveModel::Serializer::CollectionSerializer with ActiveModelSerializers::Adapter::JsonApi (6.44ms)
Completed 200 OK in 29ms (Views: 26.2ms | ActiveRecord: 1.0ms)

Why so ? Is there any setting in dummy-app side ? Thank you

Topic		Replies	Views
Content Security Policy violation problem in a fresh Ember app Ember CLI	10	4383	July 21, 2022
Problems settign up Google Analytics	1	1430	May 4, 2016
Updating ESA from 2.0 to 2.1.0 fails to authenticate General	0	401	December 18, 2019
Security problems in upgrading ember application	2	1236	May 19, 2015
Error 401 handling in simple ember auth	0	1276	February 4, 2016

Ember-simple-auth: Content Security Policy violation

Related Topics