How to define Content-Security-Policy in Cordova properly? -


i struggling days defining content-security-policy cordova app.

my first question is: have add csp in cordova? seems cordova adds meta tag csp default , add whitelist plugin, requiring define csp every page.

if have define:

how define directives need:

i adding js files, css files, , have inline js code, styles. have added csp page. , complaining style-src .

<meta http-equiv="content-security-policy" content="default-src *; script-src 'self' 'nonce-random'; connect-src 'self'; img-src *; style-src *; media-src *">  

i want know how add csp script-src, style-src, media-src, img-src. have read w3c draft. not figure out.

and have in cordova side too?

best,

short answer: no, not have add csp in cordova. particular issue turned out apparant lack of support subdomain wildcards in access origin attributes in config.xml. use subdomains="true" instead (see below).

update: should add csp tags html... see note @ bottom...

details: i've been messing issue , found solution when looked @ source code whitelist plugin itself.

i noticed plugin checked config.xml file line containing

<access origin="*" /> 

and in case added whitelist entry ( java code):

if ("*".equals(origin)) {     allowedrequests.addwhitelistentry("http://*/*", false);     allowedrequests.addwhitelistentry("https://*/*", false); } else {     allowedrequests.addwhitelistentry(origin, (subdomains != null) && (subdomains.comparetoignorecase("true") == 0)); } 

indicating creates csp rules based on finds in config.xml.

i added <access origin="" /> config.xml , things started working!

i noticed in above java snippet in cases origin other "*" source code plugin copy given origin , take heed of "subdomains" attribute.

i looked @ working access definitions in config.xml:

<access origin="http://my.domain.com/*" /> 

i changed of these make use of subdomain attribute instead of wildcard:

<access origin="http://my.domain.com" subdomains="true" /> 

i removed <access origin="*" /> line before , continued work.

i went html file , removed <meta http-equiv="content-security-policy" ... > tags had been experimenting , things continued work.. ie. they aren't needed... plugin all. should note aforementioned csp tags in html did have effects not them work xmlhttpl requests. platform android. cordova -v = 5.0.0 ( had upgraded v 3.x.x )

you may want through rest of plugin source may have changed or hints on how deal other issues e.g. <allow-navigation href="*" /> in config.xml results in csps above ( i.e. "http://*/*" , "https://*/*" ) "data:*".

just noticed:

i warning whitelist plugin when cordova app run:

no content-security-policy meta tag found. please add 1 when using cordova-plugin-whitelist plugin

which take mean plugin opens , should using csp in html files responsible , secure coder - do! ;)

i note in second part of question seem trying set csp wide open... answer far should suffice things going. far proper application of csp tags i'm in same boat you... , looking @ online resources figure out. imagine google , apple may require proper csp tags @ point in future.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

Kivy: Swiping (Carousel & ScreenManager) -