Security problems in upgrading ember application


#1

I have an ember/ember-cli application that I am upgrading from 1.10 to 1.12. This application uses an API that runs on port 8000 in development. I have the following environment.js:

module.exports = function(environment) {
  var ENV = {
    modulePrefix: 'myapplication',
    environment: environment,
    baseURL: '/',
    locationType: 'auto',
    EmberENV: {
      FEATURES: {
      }
    },
    contentSecurityPolicy: {
      'default-src': "'none'",
      'script-src': "'self'",
      'font-src': "'self'",
      'img-src': "'self'",
      'style-src': "'self'",
      'media-src': "'self'"
    },
    APP: {}
  };

  if (environment === 'development') {
    ENV.APP.API_NAMESPACE = '';
    ENV.APP.LOG_VIEW_LOOKUPS = true;
    ENV.contentSecurityPolicy['connect-src'] = "http://localhost:8000";
  }

  if (environment === 'test') {
    // [snipped]
  }

  if (environment === 'production') {
    // [snipped]
 }

  return ENV;
};

So this worked before, but now, when a request is made to the API, it is being made to port 4200, so returning as not found.

The crossdomain.xml has the following:

<site-control permitted-cross-domain-policies="none"/>

but changing this to "all" didn’t help. It seems that ember-cli-content-security-policy has been updated from 0.3.0 to 0.4.0, incidentally.


#2

I don’t think this is from the CSP addon. It doesn’t monkey with any of the ports on which your application is running; it just applies limits. If it were a CSP issue, you’d be seeing CSP violations in the browser console and the command line console from which you’re running ember serve. You can verify this by looking at the CSP addon; all of the magic happens in index.js.

More likely is that during the upgrade process you accidentally stomped on a setting somewhere when running ember init.


#3

I think you are right. I went through the process again, and I have managed to get to a new error … past the api call.

Thanks.