cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-11341) Camera access affected by CSP
Date Wed, 01 Jun 2016 12:29:59 GMT

     [ https://issues.apache.org/jira/browse/CB-11341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tim updated CB-11341:
---------------------
    Description: 
When Content Security Policy is modified (e.g. default-src: 'none'), it breaks the camera
access alert for iOS.

If the app is suspended and resumed, the camera access alert will pop-up - and the following
warning will be reported in Xcode.

Warning: Attempt to present <CDVCameraPicker: 0x170b7600> on <MainViewController:
0x16d6f090> whose view is not in the window hierarchy!

However, if the iOS app is suspended and then resumed the camera access will display correctly;
this could indicate that the Content Security Policy can be bypassed.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Modify the CSP meta-tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.

Expected behavior:
The camera plugin should not be affected by the Content Security Policy. And "Cordova build
ios" should catch poorly formatted CSP meta tags.

  was:
When "Content-Security-Policy:" directive is missing from the content attribute, the Camera
access alert won't display. However, if the iOS app is suspended and then resumed the Camera
access will display correctly; this could indicate that the Content Security Policy can be
bypassed.

<meta http-equiv="Content-Security-Policy" content=" default-src: 'none'" />
Doesn't work as expected. The camera alert access is not shown.

<meta http-equiv="Content-Security-Policy" content="Content-Security-Policy: default-src:
'none'" />
Works as expected. The camera alert access is shown.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Remove "Content-Security-Policy:" from the "content" attribute for Content Security Policy
meta tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.

Expected behavior:
The camera plugin should not be affected by the Content Security Policy. And "Cordova build
ios" should catch poorly formatted CSP meta tags.


> Camera access affected by CSP
> -----------------------------
>
>                 Key: CB-11341
>                 URL: https://issues.apache.org/jira/browse/CB-11341
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Plugin Camera
>    Affects Versions: 2.2.0
>         Environment: iOS 8.4 - iPhone 4S
>            Reporter: Tim
>            Priority: Minor
>              Labels: iOS, triaged
>
> When Content Security Policy is modified (e.g. default-src: 'none'), it breaks the camera
access alert for iOS.
> If the app is suspended and resumed, the camera access alert will pop-up - and the following
warning will be reported in Xcode.
> Warning: Attempt to present <CDVCameraPicker: 0x170b7600> on <MainViewController:
0x16d6f090> whose view is not in the window hierarchy!
> However, if the iOS app is suspended and then resumed the camera access will display
correctly; this could indicate that the Content Security Policy can be bypassed.
> How to reproduce:
> 1. Install camera plugin 2.2.0
> > cordova plugin add cordova-plugin-camera
> 2. Modify the CSP meta-tag in index.html
> 3. Build iOS
> > cordova platform add ios
> 4. The camera access alert won't display when the app loads
> 5. Suspend the camera app using the home button. Return to the app. The camera access
alert will now display.
> Expected behavior:
> The camera plugin should not be affected by the Content Security Policy. And "Cordova
build ios" should catch poorly formatted CSP meta tags.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message