Topic: Using pow with ember-cli and Content Security Policy

Topic type:

How to set up your config/environment.js to not complain about your .dev domain supplied by pow.

I get sick of writing localhost and port numbers when I'm developing, so I use pow.

It's a little trickier when you are developing with ember-cli rather than a Ruby Rack based app. You have to use Port Proxying because ember-cli is based on node.js with an express server. It's really not that bad though.

I use the powder gem to manage pow (along with lunchy to stop and start pow's daemon on rare occasion). Here's how I set up an ember-cli app with port proxying:

After the powder command, you should get a note saying your app is now available at [your_app_name].dev. Of course you'll need to start ember up first. That's the next step. Make sure the port numbers match.

That's the easy part.

The harder part is getting ember-cli to not complain about content security policy violations for your new handy .dev domain that is really serving localhost:4201 (or whatever). This took me awhile to find the right thing to specify with a lot of trial and error and no answers in IRC or from web searches (thus this blog post).

Here's the basic idea for your config/environment.js. If you have other APIs, etc. you need to add to your content security policy, you'll need to adjust this accordingly:

Place this just before your return ENV; at the end of the file.

Note the 'unsafe-inline' in the script-src line. From my experiments, this looks to be required. Unfortunately you now won't get warnings if you use unsafe inline scripts in your app, but you weren't going to do that anyway, were you?

Discuss This Topic

There are 0 comments in this discussion.

join this discussion

Like what you've read? You can check out my latest project at

Got a project of your own that you need help with? Let's talk