cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kerri Shotts <>
Subject Re: CSP question
Date Sun, 24 May 2015 23:51:54 GMT

According to,
if you omit the URL scheme, the one the page is using is assumed. So if you’re loading off
file://, then your CSP will assume that URLs without schemes will also be coming from file://.
Which is my guess as to why the code is failing? (Unless you’re serving from http://, in
which case, I would expect your CSP to work.)

If you want wildcard behavior, you can use *:// instead.

On May 24, 2015 at 2:24:05 PM, Raymond Camden ( wrote:

According to the HTML5 Rocks article on CSP  
you can specify just the host portion. So I tried this to load jQuery  
(which, I wouldn't do normally, I'd host it locally):  

<meta http-equiv="Content-Security-Policy" content="default-src 'self'  
data: gap: 'unsafe-eval'; style-src 'self'  
'unsafe-inline'; media-src *; script-src 'self';  

This does not work though. If I change it to,  
it works fine. Is this simply a bug with the HTML5 Rocks article or a  
misunderstanding on my part?  

Raymond Camden, Developer Advocate for MobileFirst at IBM  

Email :  
Blog :  
Twitter: raymondcamden  

To unsubscribe, e-mail:  
For additional commands, e-mail:  

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message