cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steven Gill <stevengil...@gmail.com>
Subject Re: CSP question
Date Wed, 27 May 2015 00:12:17 GMT
Nice tips Kerri!

Thanks for the blog post Ray! Link for the lazy
http://www.raymondcamden.com/2015/05/25/important-information-about-cordova-5

On Sun, May 24, 2015 at 5:36 PM, Raymond Camden <raymondcamden@gmail.com>
wrote:

> No worries -I appreciate the MDN link though - certainly better than
> the old HTML5 rocks article. I'm blogging on the CSP changes (I had
> misunderstood them) based on conversations I had with Nic Raboy over
> on his blog post on the topic. Will post back here so folks can tell
> me if i screwed up. ;)
>
>
> On Sun, May 24, 2015 at 7:33 PM, Kerri Shotts <kerrishotts@gmail.com>
> wrote:
> > That's what I get for making assumption on other parts of the syntax. ;-)
> > Wildcards just don't automatically apply everywhere (sigh), even if they
> > look like they could. Bad brain, bad brain! More coffee needed!
> >
> >
> >
> >
> > On May 24, 2015 at 7:31:08 PM, Kerri Shotts (kerrishotts@gmail.com)
> wrote:
> >
> > My bad! Clearly I glitched on that. You can wildcard subdomains and
> ports,
> > but not url schemes:
> >
> > http://www.w3.org/TR/CSP/#source-list-syntax
> >
> > I'm going to blame my headache for that one! ;-)
> >
> >
> >
> >
> > On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcamden@gmail.com)
> > wrote:
> >
> > Shoot, no, that doesn't work either. It gives:
> >
> >
> > The source list for Content Security Policy directive 'script-src'
> > contains an invalid source: '*://code.jquery.com'. It will be ignored.
> >
> > On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrishotts@gmail.com>
> wrote:
> >> Ray,
> >>
> >> According to
> >>
> >>
> https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
> ,
> >> if you omit the URL scheme, the one the page is using is assumed. So if
> >> you're loading off file://, then your CSP will assume that URLs without
> >> schemes will also be coming from file://. Which is my guess as to why
> the
> >> code is failing? (Unless you're serving from http://, in which case, I
> >> would
> >> expect your CSP to work.)
> >>
> >> If you want wildcard behavior, you can use *://code.jquery.com instead.
> >>
> >>
> >>
> >>
> >> On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcamden@gmail.com)
> >> wrote:
> >>
> >> According to the HTML5 Rocks article on CSP
> >> (
> http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
> >> you can specify just the host portion. So I tried this to load jQuery
> >> (which, I wouldn't do normally, I'd host it locally):
> >>
> >> <meta http-equiv="Content-Security-Policy" content="default-src 'self'
> >> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'
> >> 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com;
> >> connect-src http://www.cnn.com">
> >>
> >> This does not work though. If I change it to http://code.jquery.com,
> >> it works fine. Is this simply a bug with the HTML5 Rocks article or a
> >> misunderstanding on my part?
> >>
> >> --
> >>
> >>
> ===========================================================================
> >> Raymond Camden, Developer Advocate for MobileFirst at IBM
> >>
> >> Email : raymondcamden@gmail.com
> >> Blog : www.raymondcamden.com
> >> Twitter: raymondcamden
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> >> For additional commands, e-mail: dev-help@cordova.apache.org
> >>
> >
> >
> >
> > --
> >
> ===========================================================================
> > Raymond Camden, Developer Advocate for MobileFirst at IBM
> >
> > Email : raymondcamden@gmail.com
> > Blog : www.raymondcamden.com
> > Twitter: raymondcamden
>
>
>
> --
> ===========================================================================
> Raymond Camden, Developer Advocate for MobileFirst at IBM
>
> Email : raymondcamden@gmail.com
> Blog : www.raymondcamden.com
> Twitter: raymondcamden
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message