通过虚拟框提供的ember-cli违反了内容安全策略

Question

我有一个新的ember-cli v.0.1.2应用程序.我在虚拟框中提供ember,并通过Host-Only配置的网络适配器从主机访问网页192.168.56.102.

当我ember serve从虚拟框运行并192.168.56.102从主机访问时,我在控制台上收到以下错误:

 [Report Only] Refused to load the script 'http://192.168.56.102:35729/livereload.js?snipver=1' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729".
ember-cli-live-reload.js:5 (anonymous function)

livereload.js?snipver=1:193 [Report Only] Refused to connect to 'ws://192.168.56.102:35729/livereload' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729".

我尝试了使用ember-cli-content-security-policy的各种配置而没有运气:

 contentSecurityPolicy: {
    'default-src': "'none'",
    'script-src': "'self'",
    'font-src': "'self'",
    'connect-src': "'self'",
    'img-src': "'self'",
    'style-src': "'self'",
    'media-src': "'self'"
  }

如何为虚拟盒开发解决这些错误？

编辑:

所以根据这个解决方案:EmberCspTutorial和博客文章:https://blog.justinbull.ca/how-to-configure-csp-in-your-ember-cli-app/

此配置可修复错误:

  ENV.contentSecurityPolicy = {
      'default-src': "'none'",
      'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
      'font-src': "'self'",
      'connect-src': "'self' ws://192.168.56.102:35729",
      'img-src': "'self'",
      'style-src': "'self'",
      'media-src': "'self'"
  };

还有30分钟的视频解释所有这些,但是我可以使用一些可能会改变的硬编码的ip,一个全面的解释将被接受作为答案.

如何启用CSP data:application/font*

我已经包含了一些字体,现在我得到了这些错误,CSP配置是什么来压制这些:

[Report Only] Refused to load the font 'data:application/font-woff;charset=utf-8;base64,d09GRk9UVE8AAAVwAAoAAAAABSg…IAeQAgAEkAYwBvAE0AbwBvAG4ALgAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".

192.168.56.102/:1 [Report Only] Refused to load the font 'data:application/x-font-ttf;charset=utf-8;base64,AAEAAAALAIAAAwAwT1MvMggjCB…BiAHkAIABJAGMAbwBNAG8AbwBuAC4AAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==' because it violates the following Content Security Policy directive: "font-src 'self' data:application/* http://fonts.gstatic.com".

根据参考,这工作:

  ENV.contentSecurityPolicy = {
      'default-src': "'none'",
      'script-src': "'self' 'unsafe-eval' 192.168.56.102:35729",
      'font-src': "'self' data: http://fonts.gstatic.com",
      'connect-src': "'self' ws://192.168.56.102:35729",
      'img-src': "'self'",
      'style-src': "'self' fonts.googleapis.com",
      'media-src': "'self'"
  };