cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pär <>
Subject Re: CSP ignored when using remote content
Date Sat, 23 May 2015 19:44:02 GMT
Guuuys! Thanks for your answers and all! But i guess i haven't been clear
enough, i already know it works on file:///, I want it to work when its
noooot file:/// but a remoooote source!

And whats this talk about CORS headers? You can make XHRs to ANYTHING when
using a local cordova content src (file:///), the server doesnt need to
send ANY CORS headers! Try it.

But i want to use a remoooooote source, NOT file:///. So something
like <content
src="">. And no the server doesnt
send me CORS headers, i need it to work without CORS headers, like it does
with the file:/// already!

Whats happening in my case? I get a regular chrome same-origin-policy
message  "No 'Access-Control-Allow-Origin' header is present on the
requested resource. Origin '' is therefore not allowed


Is it intentional? Is that how cordova is supposed to work? Why
the discrepancy? Is it a bug?

Im not trying to be disrespectful, i have great respect for you guys. I
just want to make myself understood clearly now, so that you understand my
question 100%.

On 22 May 2015 at 21:08, Shazron <> wrote:

> If using the wkwebview-engine plugin in cordova-ios 4.0 (release TBD),
> using file:/// URLs will respect CORS, I believe (Device: you can only
> test this currently with files loaded from the tmp folder:
> - Simulator: anything
> goes)
> The wkwebview-engine plugin uses the new WKWebView component in iOS 8,
> instead of the system UIWebView (which doesn't care about CORS).
> I haven't tested this with the latest iOS 8.3 though.
> On Fri, May 22, 2015 at 11:42 AM, Nikhil Khandelwal
> <> wrote:
> > CORS does not apply for local content using file:///, hence, browser
> will allow all XHRs when your origin is local. When you host content on
> CORS is applied. If you make an XHR to, the
> browser will pre-flight a request to asking if supports
> xhr access from responds using a response
> header - 'Access-Control-Allow-Origin' allowing XHR to be allowed or not.
> You can use network inspection tools to see the request/response to see
> what's happening in your case and understand the failure.
> >
> > Thanks,
> > Nikhil
> >
> >
> > -----Original Message-----
> > From: Pär []
> > Sent: Thursday, May 21, 2015 6:24 PM
> > To:
> > Subject: Re: CSP ignored when using remote content
> >
> > Thanks for the reply. Yes, the CSP rules are defined by the page that is
> loaded, wherever that is. The thing is that the behavior when loading that
> page from a remote server is different from the behavior when loading the
> page locally, even though its the exact same page.
> >
> > I have <access origin="*"> and CSP "default-src *". When i have a local
> content src i can do any cross origin XHR's. Then i change content src to a
> server where i serve the platform/www folder of my cordova project, and
> suddently the same XHR's are blocked. So the behaviour is different just
> from one varialbe changning; content src.
> >
> > On 22 May 2015 at 02:27, Jesse <> wrote:
> >
> >> This is the intended behavior.  The csp rules are defined by the page
> >> that is loaded, wherever it is.
> >> Pointing content.src to a remote server basically means, ignore
> >> anything that is in www/index.html.
> >>
> >> @purplecabbage
> >>
> >>
> >> On Thu, May 21, 2015 at 2:16 PM, Pär <> wrote:
> >>
> >> > When using a remote content src like <content src="
> >> >"> the CSP rules seems to be
> >> > ignored; cross origin requests fail even with a "default-src *" CSP.
> >> > Is this intended behaviour or a bug?
> >> >
> >>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message