Return-Path: 
 <dev-return-46381-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C5FE71857F
	for <apmail-cordova-dev-archive@www.apache.org>;
 Sun, 24 May 2015 23:52:24 +0000 (UTC)
Received: (qmail 36109 invoked by uid 500); 24 May 2015 23:52:24 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 36059 invoked by uid 500); 24 May 2015 23:52:24 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 36046 invoked by uid 99); 24 May 2015 23:52:24 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 May 2015 23:52:24 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id D0722C7F7A
	for <dev@cordova.apache.org>; Sun, 24 May 2015 23:52:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 3.901
X-Spam-Level: ***
X-Spam-Status: No, score=3.901 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_REPLY=1, HTML_MESSAGE=3, URIBL_BLOCKED=0.001]
	autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id T1ldrzjUY1HD for <dev@cordova.apache.org>;
	Sun, 24 May 2015 23:52:10 +0000 (UTC)
Received: from mail-ie0-f173.google.com (mail-ie0-f173.google.com
 [209.85.223.173])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 1EA62206A4
	for <dev@cordova.apache.org>; Sun, 24 May 2015 23:52:10 +0000 (UTC)
Received: by iesa3 with SMTP id a3so63089590ies.2
        for <dev@cordova.apache.org>; Sun, 24 May 2015 16:52:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=date:from:to:message-id:in-reply-to:references:subject:mime-version
         :content-type;
        bh=9kZWaN7sIfJ03imO1uyKkmXdOGpX/9vlt+q2UNNj03g=;
        b=I0gCP92YZ6+v1Elyb8d8qS/eEkTc2S60IVjsb32Wtc2iTsDrooesHaRXh+zfXmI7j6
         zvBOrdqI2uzhsOubDOYOo4hffRL5zVl5zc0riDAjUOiIIvzOtpFO1XsoqoEwkhZb8I1T
         h2V2Bc9q8WiQc94vhWbqmgPvq2I7hVpko07Ln9iHaOYGHyVGFUY5nlPtoXgYQiT+Z7Ns
         obN8twGIbAfFpWkcaRHApCcUCmtw+NiIGVNpCVRD5yQODnpUrJzf6QR3iaepVqZH6VPf
         FzHLN7I+GPRw9ykpk5CVvoR5K9MFCxRbOitdMNJtoVHs8wjoFdkSHSv0tPgYeRfGoUGo
         T0rw==
X-Received: by 10.43.178.195 with SMTP id ox3mr19356580icc.10.1432511523372;
        Sun, 24 May 2015 16:52:03 -0700 (PDT)
Received: from Kerris-MacBook-Pro.local ([50.45.17.233])
        by mx.google.com with ESMTPSA id
 k186sm7447470ioe.37.2015.05.24.16.52.01
        (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Sun, 24 May 2015 16:52:01 -0700 (PDT)
Date: Sun, 24 May 2015 18:51:54 -0500
From: Kerri Shotts <kerrishotts@gmail.com>
To: Raymond Camden <raymondcamden@gmail.com>, dev@cordova.apache.org
Message-ID: <etPan.55626420.70846c4e.e3cf@Kerris-MacBook-Pro.local>
In-Reply-To: 
 <CAK2avF9nygCNgD09wQZiyCRawJHWDfVOctisWAxqruYFwsNDWg@mail.gmail.com>
References: 
 <CAK2avF9nygCNgD09wQZiyCRawJHWDfVOctisWAxqruYFwsNDWg@mail.gmail.com>
Subject: Re: CSP question
X-Mailer: Airmail (303)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="55626420_44d8a9ba_e3cf"

--55626420_44d8a9ba_e3cf
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Ray,

According to https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CS=
P=5Fpolicy=5Fdirectives, if you omit the URL scheme, the one the page is =
using is assumed. So if you=E2=80=99re loading off file://, then your CSP=
 will assume that URLs without schemes will also be coming from file://. =
Which is my guess as to why the code is failing=3F (Unless you=E2=80=99re=
 serving from http://, in which case, I would expect your CSP to work.)

If you want wildcard behavior, you can use *://code.jquery.com instead.




On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcamden=40gmail.com)=
 wrote:

According to the HTML5 Rocks article on CSP =20
(http://www.html5rocks.com/en/tutorials/security/content-security-policy/=
) =20
you can specify just the host portion. So I tried this to load jQuery =20
(which, I wouldn't do normally, I'd host it locally): =20

<meta http-equiv=3D=22Content-Security-Policy=22 content=3D=22default-src=
 'self' =20
data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' =20
'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; =20
connect-src http://www.cnn.com=22> =20

This does not work though. If I change it to http://code.jquery.com, =20
it works fine. Is this simply a bug with the HTML5 Rocks article or a =20
misunderstanding on my part=3F =20

-- =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =20
Raymond Camden, Developer Advocate for Mobile=46irst at IBM =20

Email : raymondcamden=40gmail.com =20
Blog : www.raymondcamden.com =20
Twitter: raymondcamden =20

--------------------------------------------------------------------- =20
To unsubscribe, e-mail: dev-unsubscribe=40cordova.apache.org =20
=46or additional commands, e-mail: dev-help=40cordova.apache.org =20


--55626420_44d8a9ba_e3cf--