cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pär <>
Subject Re: CSP ignored when using remote content
Date Fri, 22 May 2015 01:23:37 GMT
Thanks for the reply. Yes, the CSP rules are defined by the page that is
loaded, wherever that is. The thing is that the behavior when loading that
page from a remote server is different from the behavior when loading the
page locally, even though its the exact same page.

I have <access origin="*"> and CSP "default-src *". When i have a local
content src i can do any cross origin XHR's. Then i change content src to a
server where i serve the platform/www folder of my cordova project, and
suddently the same XHR's are blocked. So the behaviour is different just
from one varialbe changning; content src.

On 22 May 2015 at 02:27, Jesse <> wrote:

> This is the intended behavior.  The csp rules are defined by the page that
> is loaded, wherever it is.
> Pointing content.src to a remote server basically means, ignore anything
> that is in www/index.html.
> @purplecabbage
> On Thu, May 21, 2015 at 2:16 PM, Pär <> wrote:
> > When using a remote content src like <content src="
> >"> the CSP rules seems to be
> > ignored;
> > cross origin requests fail even with a "default-src *" CSP. Is this
> > intended behaviour or a bug?
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message