How to define Content-Security-Policy in Cordova properly? -


i struggling days defining content-security-policy cordova app.

my first question is: have add csp in cordova? seems cordova adds meta tag csp default , add whitelist plugin, requiring define csp every page.

if have define:

how define directives need:

i adding js files, css files, , have inline js code, styles. have added csp page. , complaining style-src . 

<meta http-equiv="content-security-policy" content="default-src *; script-src 'self' 'nonce-random'; connect-src 'self'; img-src *; style-src *; media-src *">

i want know how add csp script-src, style-src, media-src, img-src. have read w3c draft. not figure out.

and have in cordova side too?

best,

short answer: no, not have add csp in cordova. particular issue turned out apparant lack of support subdomain wildcards in access origin attributes in config.xml. use subdomains="true" instead (see below).

update: should add csp tags html... see note @ bottom...

details: i've been messing issue , found solution when looked @ source code whitelist plugin itself.

i noticed plugin checked config.xml file line containing 

<access origin="*" />

and in case added whitelist entry ( java code):

if ("*".equals(origin)) {     allowedrequests.addwhitelistentry("http://*/*", false);     allowedrequests.addwhitelistentry("https://*/*", false); } else {     allowedrequests.addwhitelistentry(origin, (subdomains != null) && (subdomains.comparetoignorecase("true") == 0)); }

indicating creates csp rules based on finds in config.xml.

i added <access origin="" /> config.xml , things started working!

i noticed in above java snippet in cases origin other "*" source code plugin copy given origin , take heed of "subdomains" attribute.

i looked @ working access definitions in config.xml:

<access origin="http://my.domain.com/*" />

i changed of these make use of subdomain attribute instead of wildcard:

<access origin="http://my.domain.com" subdomains="true" />

i removed <access origin="*" /> line before , continued work.

i went html file , removed <meta http-equiv="content-security-policy" ... > tags had been experimenting , things continued work.. ie. they aren't needed... plugin all. should note aforementioned csp tags in html did have effects not them work xmlhttpl requests. platform android. cordova -v = 5.0.0 ( had upgraded v 3.x.x )

you may want through rest of plugin source may have changed or hints on how deal other issues e.g. <allow-navigation href="*" /> in config.xml results in csps above ( i.e. "http://*/*" , "https://*/*" ) "data:*".

just noticed:

i warning whitelist plugin when cordova app run:

no content-security-policy meta tag found. please add 1 when using cordova-plugin-whitelist plugin

which take mean plugin opens , should using csp in html files responsible , secure coder - do! ;)

i note in second part of question seem trying set csp wide open... answer far should suffice things going. far proper application of csp tags i'm in same boat you... , looking @ online resources figure out. imagine google , apple may require proper csp tags @ point in future.


Comments

Post a Comment

Popular posts from this blog

powershell Start-Process exit code -1073741502 when used with Credential from a windows service environment -

i'm running strange behavior powershell start-process call. here call: $process = start-process ` "c:\somepath\mybinary.exe" ` -passthru ` -credential $defaultcredential ` -wait ` -workingdirectory "c:\somepath" ` -loaduserprofile if ($process.exitcode -ne 0) { #do } this call return exit code - 1073741502 . after quick search, exit code seems related generic error when program not load required dll (aka. status_dll_init_failed ). when run without -credential $credential program runs correctly. in order isolate problem, manually launched some.exe in prompt target credential , runs smoothly. so problem seems come way start-process cmdlet launch process. i found potential solutions problem tried apply no luck : link , link . would have idea of what's going on here ? edit 1: run proc mon monitoring program activities when launched directly or via powershell script. problem seems occur when loading kernelbase
Read more

twig - Using Twigbridge in a Laravel 5.1 Package -

i'm trying create laravel 5.1 package uses twigbridge instead of .php views. can normal .php views display fine, when try make use of .twig templates i'm met error. possible use twigbridge templates when creating views laravel package or pretty stuck blade , php ? edit 1: loading twig template without extending works. it's when start using {% extends 'file' %} error comes out. i error error loading /virtual/laravel/packages/username/mypackage/src/views/sample.twig: template "templates.master" not defined () in "/virtual/laravel/packages/username/mypackage/src/views/sample.twig" @ line 1. my folders username |_ mypackage |_ src |_ controllers - samplecontroller.php |_ views |_ templates - master.twig - sample.twig twig template sample.twig {% extends 'templates.master' %} {% block content %} {{ parent()
Read more

c# - LINQ join Entities from HashSet's, Join vs Dictionary vs HashSet performance -

i have hashset's each stores t, have written test application compares different relation algorithms can think of, i'm not pleased results getting. does there exist more efficient ways of achieving object relations, once testing? using system; using system.collections.generic; using system.linq; using system.text; using system.threading.tasks; using system.diagnostics; namespace linqtests { class program { static void main(string[] args) { hashset<user> usertable = new hashset<user>(); hashset<userproperty> userpropertytable = new hashset<userproperty>(); #region lets create dummy data. console.writeline("please wait while creating dummy data, can take while..."); console.writeline(""); int rows = 1000000; for(int x = 0; x < rows; x++) { random rnd = new random(); // ad
Read more