Logo Questions Linux Laravel Mysql Ubuntu Git Menu

Are Ember.js-based web apps CSP-Compliant?

Google Chrome’s Packaged Apps need to comply with CSP. Assuming you compile your Handlebars templates before deployment, does that apply to Ember.js?

For some reason, Google doesn’t list Ember.js as a recommended MVC framework.

like image 369
aaronk6 Avatar asked Mar 22 '23 11:03


2 Answers

At the time of writing the docs, Ember wasn't CSP compliant due to use of eval or new Function in the code - which was mainly around the Handlebars templating side of things.

With the correct build tools, Ember templates can be precompiled. The grunt-ember-templates npm package will handle this for you. This package is used by ember-app-kit which is becoming the default recommended Ember build tools. If you like Rails you can use ember-appkit-rails instead.

If for some reason you want to use uncompiled templates, you can of course use the sandbox attribute to isolate your page from the Chrome apps API's and allow use of eval.

like image 62
3 revs, 2 users 53% Avatar answered Mar 31 '23 14:03

3 revs, 2 users 53%

ember applications created with ember-cli are CSP compliant since version 0.0.47. hope google reevaluate their recommendations.

like image 41
Samy Alzahrani Avatar answered Mar 31 '23 15:03

Samy Alzahrani