cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Khandelwal <nikhi...@microsoft.com>
Subject RE: CSP ignored when using remote content
Date Fri, 22 May 2015 18:42:19 GMT
CORS does not apply for local content using file:///, hence, browser will allow all XHRs when
your origin is local. When you host content on remoteserver.com CORS is applied. If you make
an XHR to xhr.com, the browser will pre-flight a request to xhr.com asking if xhr.com supports
xhr access from remoteserver.com. xhr.com responds using a response header - 'Access-Control-Allow-Origin'
allowing XHR to be allowed or not. You can use network inspection tools to see the request/response
to see what's happening in your case and understand the failure.

Thanks,
Nikhil


-----Original Message-----
From: Pär [mailto:p.majholm@gmail.com] 
Sent: Thursday, May 21, 2015 6:24 PM
To: dev@cordova.apache.org
Subject: Re: CSP ignored when using remote content

Thanks for the reply. Yes, the CSP rules are defined by the page that is loaded, wherever
that is. The thing is that the behavior when loading that page from a remote server is different
from the behavior when loading the page locally, even though its the exact same page.

I have <access origin="*"> and CSP "default-src *". When i have a local content src
i can do any cross origin XHR's. Then i change content src to a server where i serve the platform/www
folder of my cordova project, and suddently the same XHR's are blocked. So the behaviour is
different just from one varialbe changning; content src.

On 22 May 2015 at 02:27, Jesse <purplecabbage@gmail.com> wrote:

> This is the intended behavior.  The csp rules are defined by the page 
> that is loaded, wherever it is.
> Pointing content.src to a remote server basically means, ignore 
> anything that is in www/index.html.
>
> @purplecabbage
> risingj.com
>
> On Thu, May 21, 2015 at 2:16 PM, Pär <p.majholm@gmail.com> wrote:
>
> > When using a remote content src like <content src="
> > http://remoteserver.com/app/index.html"> the CSP rules seems to be 
> > ignored; cross origin requests fail even with a "default-src *" CSP. 
> > Is this intended behaviour or a bug?
> >
>
Mime
View raw message