Update CSP instructions (#705)

This allows us to disable CSP entirely for testing.
adopted-ember-addons · Jan 25, 2021 · a963a13 · a963a13
1 parent 17e3fd4
commit a963a13
Showing 1 changed file with 36 additions and 20 deletions.
diff --git a/tests/dummy/app/templates/docs/guides/csp.md b/tests/dummy/app/templates/docs/guides/csp.md
@@ -6,37 +6,53 @@ makes sense for your app.
 
 First, you will need to install [ember-cli-content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy).
 
+We will need version 2.x, which you can install with:
+
 ```bash
-ember install ember-cli-content-security-policy
+ember install ember-cli-content-security-policy@2.0.0-2
 ```
 
-Then you should start by adding this default config to your `config/environment.js` file
+Then you should start by adding this default config to your `config/content-security-policy.js` file
 and tweak it further for the needs of your app.
 
 ```js
-contentSecurityPolicy: {
-  'default-src': ["'none'"],
-  'script-src': [
-    'http://localhost:7020',
-    'http://localhost:7357',
-    'http://testemserver',
-    "'self'",
-    "'unsafe-inline'"
-  ],
-  'font-src': ["'self'"],
-  'frame-src': ['http://localhost:7357', 'http://testemserver/', "'self'"],
-  'connect-src': ["'self'"],
-  'img-src': ['data:', "'self'"],
-  'style-src': ["'self'", "'unsafe-inline'"],
-  'media-src': ["'self'"]
-},
-contentSecurityPolicyMeta: true,
+// config/content-security-policy.js
+
+module.exports = function (environment) {
+  return {
+    delivery: ['meta'],
+    enabled: environment !== 'test',
+    failTests: true,
+    policy: {
+      'default-src': ["'none'"],
+      'script-src': ['http://localhost:7020', "'self'", "'unsafe-inline'"],
+      'font-src': ["'self'"],
+      'frame-src': ["'self'"],
+      'connect-src': ["'self'"],
+      'img-src': ['data:', "'self'"],
+      'style-src': ["'self'", "'unsafe-inline'"],
+      'media-src': ["'self'"]
+    },
+    reportOnly: true
+  };
+};
+
 ```
 
 If you are using ember-auto-import or embroider you will also need to forbid eval there:
 
 ```js
+// auto-import
 autoImport: {
   forbidEval: true
 },
-```
+```
+
+```js
+// embroider
+packagerOptions: {
+  webpackConfig: {
+    devtool: false
+  }
+}
+```