cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sondre Bjellås (JIRA) <>
Subject [jira] [Created] (CB-12566) WKWebViewEngine does not use CSP meta-tag, fails to load about:blank
Date Mon, 13 Mar 2017 14:21:41 GMT
Sondre Bjellås created CB-12566:

             Summary: WKWebViewEngine does not use CSP meta-tag, fails to load about:blank
                 Key: CB-12566
             Project: Apache Cordova
          Issue Type: Bug
          Components: Plugin WKWebViewEngine
            Reporter: Sondre Bjellås
            Assignee: Shazron Abdullah

When adding the WKWebView plugin to a Cordova project, the CSP meta-tag in externally hosted
HTML file is probably not used/parsed, or there is another way to configure CSP for the plugin?

Have a working app using the default web view engine on iOS, when it is replaced with the
WKWebView, the app will log thousands of messages to the console. The error also results in
Cordova runtime and plugins not being loaded and not working in the app.

The plugin is added with the following elements in config.xml:

<feature name="CDVWKWebViewEngine">
	<param name="ios-package" value="CDVWKWebViewEngine" />
<preference name="CordovaWebViewEngine" value="CDVWKWebViewEngine" />
<plugin name="cordova-plugin-wkwebview-engine" spec="~1.1.2" />

To see this behavior, simply run the project in the simulator, and then debug using Safari
and connect to simulator.

Output in Web Inspect in Safari:

[blocked] The page at about:blank was not allowed to display insecure content from gap://ready.

This is the current content of the CSP, have attempted many different variations with no success:

<meta http-equiv="Content-Security-Policy" content="frame-src * gap://ready; default-src
'self' gap://ready file://* *; connect-src * blob: data:; style-src * 'unsafe-inline'; script-src
* 'unsafe-eval' 'unsafe-inline'; img-src data: *">

(CSP header taken from this issue:

The errors is not logged when the index.html within the app is loaded, but appears when externally
linked HTML is loaded. Redirect is done using JavaScript code that changes window.location.href.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message