cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raymond Camden <raymondcam...@gmail.com>
Subject Re: CSP question
Date Mon, 25 May 2015 00:36:47 GMT
No worries -I appreciate the MDN link though - certainly better than
the old HTML5 rocks article. I'm blogging on the CSP changes (I had
misunderstood them) based on conversations I had with Nic Raboy over
on his blog post on the topic. Will post back here so folks can tell
me if i screwed up. ;)


On Sun, May 24, 2015 at 7:33 PM, Kerri Shotts <kerrishotts@gmail.com> wrote:
> That’s what I get for making assumption on other parts of the syntax. ;-)
> Wildcards just don’t automatically apply everywhere (sigh), even if they
> look like they could. Bad brain, bad brain! More coffee needed!
>
>
>
>
> On May 24, 2015 at 7:31:08 PM, Kerri Shotts (kerrishotts@gmail.com) wrote:
>
> My bad! Clearly I glitched on that. You can wildcard subdomains and ports,
> but not url schemes:
>
> http://www.w3.org/TR/CSP/#source-list-syntax
>
> I’m going to blame my headache for that one! ;-)
>
>
>
>
> On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcamden@gmail.com)
> wrote:
>
> Shoot, no, that doesn't work either. It gives:
>
>
> The source list for Content Security Policy directive 'script-src'
> contains an invalid source: '*://code.jquery.com'. It will be ignored.
>
> On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrishotts@gmail.com> wrote:
>> Ray,
>>
>> According to
>>
>> https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,
>> if you omit the URL scheme, the one the page is using is assumed. So if
>> you’re loading off file://, then your CSP will assume that URLs without
>> schemes will also be coming from file://. Which is my guess as to why the
>> code is failing? (Unless you’re serving from http://, in which case, I
>> would
>> expect your CSP to work.)
>>
>> If you want wildcard behavior, you can use *://code.jquery.com instead.
>>
>>
>>
>>
>> On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcamden@gmail.com)
>> wrote:
>>
>> According to the HTML5 Rocks article on CSP
>> (http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
>> you can specify just the host portion. So I tried this to load jQuery
>> (which, I wouldn't do normally, I'd host it locally):
>>
>> <meta http-equiv="Content-Security-Policy" content="default-src 'self'
>> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'
>> 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com;
>> connect-src http://www.cnn.com">
>>
>> This does not work though. If I change it to http://code.jquery.com,
>> it works fine. Is this simply a bug with the HTML5 Rocks article or a
>> misunderstanding on my part?
>>
>> --
>>
>> ===========================================================================
>> Raymond Camden, Developer Advocate for MobileFirst at IBM
>>
>> Email : raymondcamden@gmail.com
>> Blog : www.raymondcamden.com
>> Twitter: raymondcamden
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> For additional commands, e-mail: dev-help@cordova.apache.org
>>
>
>
>
> --
> ===========================================================================
> Raymond Camden, Developer Advocate for MobileFirst at IBM
>
> Email : raymondcamden@gmail.com
> Blog : www.raymondcamden.com
> Twitter: raymondcamden



-- 
===========================================================================
Raymond Camden, Developer Advocate for MobileFirst at IBM

Email : raymondcamden@gmail.com
Blog : www.raymondcamden.com
Twitter: raymondcamden

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


Mime
View raw message