cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond Camden <raymondcam...@gmail.com>
Subject CSP question
Date Sun, 24 May 2015 19:23:01 GMT
According to the HTML5 Rocks article on CSP
(http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
you can specify just the host portion. So I tried this to load jQuery
(which, I wouldn't do normally, I'd host it locally):

<meta http-equiv="Content-Security-Policy" content="default-src 'self'
data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'
'unsafe-inline'; media-src *; script-src 'self' code.jquery.com;
connect-src http://www.cnn.com">

This does not work though. If I change it to http://code.jquery.com,
it works fine. Is this simply a bug with the HTML5 Rocks article or a
misunderstanding on my part?

-- 
===========================================================================
Raymond Camden, Developer Advocate for MobileFirst at IBM

Email : raymondcamden@gmail.com
Blog : www.raymondcamden.com
Twitter: raymondcamden

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


Mime
View raw message