cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Grieve (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-9277) CSP error in processMessage (cordova.js:1072)
Date Thu, 09 Jul 2015 17:33:05 GMT

    [ https://issues.apache.org/jira/browse/CB-9277?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620899#comment-14620899
] 

Andrew Grieve commented on CB-9277:
-----------------------------------

The deprecated function on the Java side is:
https://github.com/apache/cordova-android/blob/4bf705a3d39b34400388265381a9975b246e3779/framework/src/org/apache/cordova/CordovaWebView.java#L92

There's really no way to support this method that works with without unsafe-eval. I think
the best course of action is to leave it in (and deprecated) for a while longer until plugins
stop using (they should stop since it is now broken by default).

> CSP error in processMessage (cordova.js:1072)
> ---------------------------------------------
>
>                 Key: CB-9277
>                 URL: https://issues.apache.org/jira/browse/CB-9277
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>    Affects Versions: 3.5.0
>         Environment: CCA 0.7.1   with cordova  com.chariotsolutions.nfc.plugin
>            Reporter: Morille Jerome
>
> With CCA 0.7.1 during processing NFC message with the plugins
> {code}
>   <plugin name="com.chariotsolutions.nfc.plugin" spec="^0.6.2"/>
> {code}
> the call of the plugin function (and when passing the nfc tags)
> {code}
>   nfc.addNdefListener(onNfcEvent,onSuccess, onFailure );
> {code}
> the error is raised
> {code}
> Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval'
is not an allowed source of script in the following Content Security Policy directive: "default-src
file: data: chrome-extension: https://ssl.gstatic.com".
> processMessage @ cordova.js:1070
> processMessages @ cordova.js:1104
> pollOnce @ cordova.js:973
> pollOnceFromOnlineEvent
> {code}
> The problem is writing directly in the code source of the following file
> n the file https://github.com/apache/cordova-android/blob/4bf705a3d39b34400388265381a9975b246e3779/bin/templates/project/assets/www/cordova.js
> line 1073 we have the eval that cause the bugs.. (like writted in the code)
> {code}
> function processMessage(message) {
>     var firstChar = message.charAt(0);
>     if (firstChar == 'J') {
>         // This is deprecated on the .java side. It doesn't work with CSP enabled.
>         eval(message.slice(1));
>     } else if (firstChar == 'S' || firstChar == 'F') {
>         var success = firstChar == 'S';
>         var keepCallback = message.charAt(1) == '1';
>         var spaceIdx = message.indexOf(' ', 2);
>         var status = +message.slice(2, spaceIdx);
>         var nextSpaceIdx = message.indexOf(' ', spaceIdx + 1);
>         var callbackId = message.slice(spaceIdx + 1, nextSpaceIdx);
>         var payloadMessage = message.slice(nextSpaceIdx + 1);
>         var payload = [];
>         buildPayload(payload, payloadMessage);
>         cordova.callbackFromNative(callbackId, success, status, payload, keepCallback);
>     } else {
>         console.log("processMessage failed: invalid message: " + JSON.stringify(message));
>     }
> }
> {code}
> please correct this code
> {code}
>     // This is deprecated on the .java side. It doesn't work with CSP enabled.
>     eval(message.slice(1));
> {code}
> https://github.com/MobileChromeApps/mobile-chrome-apps/issues/584



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message