How to define Content-Security-Policy in Cordova properly? -
i struggling days defining content-security-policy cordova app.
my first question is: have add csp in cordova? seems cordova adds meta tag csp default , add whitelist plugin, requiring define csp every page.
if have define:
how define directives need:
i adding js files, css files, , have inline js code, styles. have added csp page. , complaining style-src .
<meta http-equiv="content-security-policy" content="default-src *; script-src 'self' 'nonce-random'; connect-src 'self'; img-src *; style-src *; media-src *">
i want know how add csp script-src, style-src, media-src, img-src. have read w3c draft. not figure out.
and have in cordova side too?
best,
short answer: no, not have add csp in cordova. particular issue turned out apparant lack of support subdomain wildcards in access origin attributes in config.xml. use subdomains="true" instead (see below).
update: should add csp tags html... see note @ bottom...
details: i've been messing issue , found solution when looked @ source code whitelist plugin itself.
i noticed plugin checked config.xml file line containing
<access origin="*" />
and in case added whitelist entry ( java code):
if ("*".equals(origin)) { allowedrequests.addwhitelistentry("http://*/*", false); allowedrequests.addwhitelistentry("https://*/*", false); } else { allowedrequests.addwhitelistentry(origin, (subdomains != null) && (subdomains.comparetoignorecase("true") == 0)); }
indicating creates csp rules based on finds in config.xml.
i added <access origin="" />
config.xml , things started working!
i noticed in above java snippet in cases origin other "*" source code plugin copy given origin , take heed of "subdomains" attribute.
i looked @ working access definitions in config.xml:
<access origin="http://my.domain.com/*" />
i changed of these make use of subdomain attribute instead of wildcard:
<access origin="http://my.domain.com" subdomains="true" />
i removed <access origin="*" />
line before , continued work.
i went html file , removed <meta http-equiv="content-security-policy" ... >
tags had been experimenting , things continued work.. ie. they aren't needed... plugin all. should note aforementioned csp tags in html did have effects not them work xmlhttpl requests. platform android. cordova -v = 5.0.0 ( had upgraded v 3.x.x )
you may want through rest of plugin source may have changed or hints on how deal other issues e.g. <allow-navigation href="*" />
in config.xml results in csps above ( i.e. "http://*/*"
, "https://*/*"
) "data:*"
.
just noticed:
i warning whitelist plugin when cordova app run:
no content-security-policy meta tag found. please add 1 when using cordova-plugin-whitelist plugin
which take mean plugin opens , should using csp in html files responsible , secure coder - do! ;)
i note in second part of question seem trying set csp wide open... answer far should suffice things going. far proper application of csp tags i'm in same boat you... , looking @ online resources figure out. imagine google , apple may require proper csp tags @ point in future.
Comments
Post a Comment