TechQA.

Phonegap app Content-Security-Policy

1.1k views Asked by At

I'm bulding an app with cordova. I'm using phonegap serve to load the app with phonegap developer app.

In index.html:

<meta http-equiv="Content-Security-Policy" content="default-src gap: file: tel: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">

(I've also tried without file: tel:, result is the same)

I can verify that this is prepared correctly in platforms/browser/www/index.html

Then I open phonegap app in iPad, I run phonegap serve, I open Safari development tools, press connect and there it is: 

Refused to load gap://ready because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.

In index.html I can see that the directive has been transformed to:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'">

Is there a way to make ipad to load the directive correctly?

EDIT

I've also tried to compile phonegap app developer with CSP directive in index.html, result is the same

EDIT - 1

I've also downloaded the zip file from http://192.168.1.130:3200/__api__/appzip (this is where I have my phonegap serve server) and index.html is already transformed!

The strange here is that platforms/browser/www/index.html is not transformed, so there is some process in-between that is transforming the CSP.

In my config.xml I've this directives:

<content src="index.html" />
<access origin="*" />
<access origin="cdvfile://*" />
<access launch-external="yes" origin="tel:*" />

<!-- Allowed WebView navigations -->
<allow-navigation href="http://*"/>
<allow-navigation href="https://*"/>
<allow-navigation href="http://*/*"/>
<allow-navigation href="https://*/*"/>
<allow-navigation href="data:*"/>
<allow-navigation href="about:*"/>
<allow-navigation href="tel:*"/>
<allow-navigation href="gap:*" />
<!-- Allowed URLs to be opened from the app -->
<allow-intent href="http://*"/>
<allow-intent href="https://*"/>
<allow-intent href="http://*/*"/>
<allow-intent href="https://*/*"/>
<allow-intent href="geo:*"/>
<allow-intent href="cdvfile://*" />
ios cordova content-security-policy phonegap-cli phonegap-developer-app
Original Q&A
1

There are 1 answers

0
Miquel On

It was related to this issue: https://github.com/creationix/nvm/issues/1361

Mainly, bash was detecting that v6.4.2 and pointing to it (which phonegap was pointing to correct version) but when executing phonegap from command line, it was executing v6.0.2, which probably was not setting up the correct CSP.

Related Questions in IOS

Related Questions in CORDOVA

Related Questions in CONTENT-SECURITY-POLICY

Related Questions in PHONEGAP-CLI

Related Questions in PHONEGAP-DEVELOPER-APP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions