cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kerri Shotts <kerrisho...@gmail.com>
Subject Re: CSP question
Date Mon, 25 May 2015 00:31:01 GMT
My bad! Clearly I glitched on that. You can wildcard subdomains and ports, but not url schemes:

http://www.w3.org/TR/CSP/#source-list-syntax

I’m going to blame my headache for that one! ;-)




On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcamden@gmail.com) wrote:

Shoot, no, that doesn't work either. It gives:  


The source list for Content Security Policy directive 'script-src'  
contains an invalid source: '*://code.jquery.com'. It will be ignored.  

On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrishotts@gmail.com> wrote:  
> Ray,  
>  
> According to  
> https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives,  
> if you omit the URL scheme, the one the page is using is assumed. So if  
> you’re loading off file://, then your CSP will assume that URLs without  
> schemes will also be coming from file://. Which is my guess as to why the  
> code is failing? (Unless you’re serving from http://, in which case, I would  
> expect your CSP to work.)  
>  
> If you want wildcard behavior, you can use *://code.jquery.com instead.  
>  
>  
>  
>  
> On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcamden@gmail.com)  
> wrote:  
>  
> According to the HTML5 Rocks article on CSP  
> (http://www.html5rocks.com/en/tutorials/security/content-security-policy/)  
> you can specify just the host portion. So I tried this to load jQuery  
> (which, I wouldn't do normally, I'd host it locally):  
>  
> <meta http-equiv="Content-Security-Policy" content="default-src 'self'  
> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'  
> 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com;  
> connect-src http://www.cnn.com">  
>  
> This does not work though. If I change it to http://code.jquery.com,  
> it works fine. Is this simply a bug with the HTML5 Rocks article or a  
> misunderstanding on my part?  
>  
> --  
> ===========================================================================  
> Raymond Camden, Developer Advocate for MobileFirst at IBM  
>  
> Email : raymondcamden@gmail.com  
> Blog : www.raymondcamden.com  
> Twitter: raymondcamden  
>  
> ---------------------------------------------------------------------  
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org  
> For additional commands, e-mail: dev-help@cordova.apache.org  
>  



--  
===========================================================================  
Raymond Camden, Developer Advocate for MobileFirst at IBM  

Email : raymondcamden@gmail.com  
Blog : www.raymondcamden.com  
Twitter: raymondcamden  

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message