cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-11341) Camera access affected by CSP
Date Tue, 31 May 2016 20:46:12 GMT

     [ https://issues.apache.org/jira/browse/CB-11341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tim updated CB-11341:
---------------------
    Description: 
When "Content-Security-Policy:" directive is missing from the content attribute, the Camera
access alert won't display. However, if the iOS app is suspended and then resumed the Camera
access will display correctly; this could indicate that the Content Security Policy can be
bypassed.

<meta http-equiv="Content-Security-Policy" content=" default-src: 'none'" />
Doesn't work as expected. The camera alert access is not shown.

<meta http-equiv="Content-Security-Policy" content="Content-Security-Policy: default-src:
'none'" />
Works as expected. The camera alert access is shown.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Remove "Content-Security-Policy:" from the "content" attribute for Content Security Policy
meta tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.

Expected behavior:
The camera plugin should not be affected by the Content Security Policy. And "Cordova build
ios" should catch poorly formatted CSP meta tags.

  was:
When "Content-Security-Policy:" directive is missing from the content attribute, the Camera
access alert won't display. However, if the iOS app is suspended and then resumed the Camera
access will display correctly.

<meta http-equiv="Content-Security-Policy" content=" default-src: 'none'" />
This causes the Camera plugin not to work properly.

<meta http-equiv="Content-Security-Policy" content="Content-Security-Policy: default-src:
'none'" />

attribute is removed from the Content Security Policy meta tag in index.html. Only when the
iOS app is suspended and resumed will the Camera access alert be displayed.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Remove "media-src" from Content Security Policy meta tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.



> Camera access affected by CSP
> -----------------------------
>
>                 Key: CB-11341
>                 URL: https://issues.apache.org/jira/browse/CB-11341
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Plugin Camera
>    Affects Versions: 2.2.0
>         Environment: iOS 8.4 - iPhone 4S
>            Reporter: Tim
>            Priority: Minor
>              Labels: iOS, triaged
>
> When "Content-Security-Policy:" directive is missing from the content attribute, the
Camera access alert won't display. However, if the iOS app is suspended and then resumed the
Camera access will display correctly; this could indicate that the Content Security Policy
can be bypassed.
> <meta http-equiv="Content-Security-Policy" content=" default-src: 'none'" />
> Doesn't work as expected. The camera alert access is not shown.
> <meta http-equiv="Content-Security-Policy" content="Content-Security-Policy: default-src:
'none'" />
> Works as expected. The camera alert access is shown.
> How to reproduce:
> 1. Install camera plugin 2.2.0
> > cordova plugin add cordova-plugin-camera
> 2. Remove "Content-Security-Policy:" from the "content" attribute for Content Security
Policy meta tag in index.html
> 3. Build iOS
> > cordova platform add ios
> 4. The camera access alert won't display when the app loads
> 5. Suspend the camera app using the home button. Return to the app. The camera access
alert will now display.
> Expected behavior:
> The camera plugin should not be affected by the Content Security Policy. And "Cordova
build ios" should catch poorly formatted CSP meta tags.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message