cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: CSP ignored when using remote content
Date Fri, 22 May 2015 19:08:42 GMT
If using the wkwebview-engine plugin in cordova-ios 4.0 (release TBD),
using file:/// URLs will respect CORS, I believe (Device: you can only
test this currently with files loaded from the tmp folder:
https://github.com/shazron/WKWebViewFIleUrlTest - Simulator: anything
goes)
The wkwebview-engine plugin uses the new WKWebView component in iOS 8,
instead of the system UIWebView (which doesn't care about CORS).

I haven't tested this with the latest iOS 8.3 though.

On Fri, May 22, 2015 at 11:42 AM, Nikhil Khandelwal
<nikhilkh@microsoft.com> wrote:
> CORS does not apply for local content using file:///, hence, browser will allow all XHRs
when your origin is local. When you host content on remoteserver.com CORS is applied. If you
make an XHR to xhr.com, the browser will pre-flight a request to xhr.com asking if xhr.com
supports xhr access from remoteserver.com. xhr.com responds using a response header - 'Access-Control-Allow-Origin'
allowing XHR to be allowed or not. You can use network inspection tools to see the request/response
to see what's happening in your case and understand the failure.
>
> Thanks,
> Nikhil
>
>
> -----Original Message-----
> From: Pär [mailto:p.majholm@gmail.com]
> Sent: Thursday, May 21, 2015 6:24 PM
> To: dev@cordova.apache.org
> Subject: Re: CSP ignored when using remote content
>
> Thanks for the reply. Yes, the CSP rules are defined by the page that is loaded, wherever
that is. The thing is that the behavior when loading that page from a remote server is different
from the behavior when loading the page locally, even though its the exact same page.
>
> I have <access origin="*"> and CSP "default-src *". When i have a local content
src i can do any cross origin XHR's. Then i change content src to a server where i serve the
platform/www folder of my cordova project, and suddently the same XHR's are blocked. So the
behaviour is different just from one varialbe changning; content src.
>
> On 22 May 2015 at 02:27, Jesse <purplecabbage@gmail.com> wrote:
>
>> This is the intended behavior.  The csp rules are defined by the page
>> that is loaded, wherever it is.
>> Pointing content.src to a remote server basically means, ignore
>> anything that is in www/index.html.
>>
>> @purplecabbage
>> risingj.com
>>
>> On Thu, May 21, 2015 at 2:16 PM, Pär <p.majholm@gmail.com> wrote:
>>
>> > When using a remote content src like <content src="
>> > http://remoteserver.com/app/index.html"> the CSP rules seems to be
>> > ignored; cross origin requests fail even with a "default-src *" CSP.
>> > Is this intended behaviour or a bug?
>> >
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


Mime
View raw message