cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kerri Shotts <kerrisho...@gmail.com>
Subject Re: CSP question
Date Sun, 24 May 2015 23:51:54 GMT
Ray,

According to https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,
if you omit the URL scheme, the one the page is using is assumed. So if you’re loading off
file://, then your CSP will assume that URLs without schemes will also be coming from file://.
Which is my guess as to why the code is failing? (Unless you’re serving from http://, in
which case, I would expect your CSP to work.)

If you want wildcard behavior, you can use *://code.jquery.com instead.




On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcamden@gmail.com) wrote:

According to the HTML5 Rocks article on CSP  
(http://www.html5rocks.com/en/tutorials/security/content-security-policy/)  
you can specify just the host portion. So I tried this to load jQuery  
(which, I wouldn't do normally, I'd host it locally):  

<meta http-equiv="Content-Security-Policy" content="default-src 'self'  
data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'  
'unsafe-inline'; media-src *; script-src 'self' code.jquery.com;  
connect-src http://www.cnn.com">  

This does not work though. If I change it to http://code.jquery.com,  
it works fine. Is this simply a bug with the HTML5 Rocks article or a  
misunderstanding on my part?  

--  
===========================================================================  
Raymond Camden, Developer Advocate for MobileFirst at IBM  

Email : raymondcamden@gmail.com  
Blog : www.raymondcamden.com  
Twitter: raymondcamden  

---------------------------------------------------------------------  
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org  
For additional commands, e-mail: dev-help@cordova.apache.org  


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message