From 47345d818d883e85988579327cedcd9104fc3d71 Mon Sep 17 00:00:00 2001 From: Nate Todd Date: Fri, 24 Feb 2017 11:45:47 -0500 Subject: [PATCH] Correct Security documentation CSP plugin was removed as a default in Ember CLI v2.3.0 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 17a267f..ef6313c 100644 --- a/README.md +++ b/README.md @@ -401,7 +401,9 @@ If you want to go completely [offline-first](http://offlinefirst.org/), you'll a An easy way to secure your Ember Pouch-using app is to ensure that data can only be fetched from CouchDB – not from some other server (e.g. in an [XSS attack](https://en.wikipedia.org/wiki/Cross-site_scripting)). -To do so, add a Content Security Policy whitelist entry to `/config/environment.js`: +You can use the [content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy) plugin to enable Content Security Policy in Ember CLI. You also will have to set the CSP HTTP header on your backend in production. + +To use, add a Content Security Policy whitelist entry to `/config/environment.js`: ```js ENV.contentSecurityPolicy = { @@ -409,8 +411,6 @@ ENV.contentSecurityPolicy = { }; ``` -Ember CLI includes the [content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy) plugin by default to ensure that CSP is kept in the forefront of your thoughts. You still have actually to set the CSP HTTP header on your backend in production. - ### CORS setup (important!) To automatically set up your remote CouchDB to use CORS, you can use the plugin [add-cors-to-couchdb](https://github.com/pouchdb/add-cors-to-couchdb):