cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <>
Subject Re: CSP ignored when using remote content
Date Fri, 22 May 2015 19:08:42 GMT
If using the wkwebview-engine plugin in cordova-ios 4.0 (release TBD),
using file:/// URLs will respect CORS, I believe (Device: you can only
test this currently with files loaded from the tmp folder: - Simulator: anything
The wkwebview-engine plugin uses the new WKWebView component in iOS 8,
instead of the system UIWebView (which doesn't care about CORS).

I haven't tested this with the latest iOS 8.3 though.

On Fri, May 22, 2015 at 11:42 AM, Nikhil Khandelwal
<> wrote:
> CORS does not apply for local content using file:///, hence, browser will allow all XHRs
when your origin is local. When you host content on CORS is applied. If you
make an XHR to, the browser will pre-flight a request to asking if
supports xhr access from responds using a response header - 'Access-Control-Allow-Origin'
allowing XHR to be allowed or not. You can use network inspection tools to see the request/response
to see what's happening in your case and understand the failure.
> Thanks,
> Nikhil
> -----Original Message-----
> From: Pär []
> Sent: Thursday, May 21, 2015 6:24 PM
> To:
> Subject: Re: CSP ignored when using remote content
> Thanks for the reply. Yes, the CSP rules are defined by the page that is loaded, wherever
that is. The thing is that the behavior when loading that page from a remote server is different
from the behavior when loading the page locally, even though its the exact same page.
> I have <access origin="*"> and CSP "default-src *". When i have a local content
src i can do any cross origin XHR's. Then i change content src to a server where i serve the
platform/www folder of my cordova project, and suddently the same XHR's are blocked. So the
behaviour is different just from one varialbe changning; content src.
> On 22 May 2015 at 02:27, Jesse <> wrote:
>> This is the intended behavior.  The csp rules are defined by the page
>> that is loaded, wherever it is.
>> Pointing content.src to a remote server basically means, ignore
>> anything that is in www/index.html.
>> @purplecabbage
>> On Thu, May 21, 2015 at 2:16 PM, Pär <> wrote:
>> > When using a remote content src like <content src="
>> >"> the CSP rules seems to be
>> > ignored; cross origin requests fail even with a "default-src *" CSP.
>> > Is this intended behaviour or a bug?
>> >

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message