cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sondre Bjellås (JIRA) <>
Subject [jira] [Commented] (CB-12566) WKWebViewEngine does not use CSP meta-tag, fails to load about:blank
Date Mon, 13 Mar 2017 21:47:41 GMT


Sondre Bjellås commented on CB-12566:

Create a repo project here, I will have to verify tomorrow at the office where I have the
Mac and everything. I'll leave a comment here tomorrow if this repo is enough to reproduce
the error, or if there are additional changes I need to do to replicate the problem: [](

> WKWebViewEngine does not use CSP meta-tag, fails to load about:blank
> --------------------------------------------------------------------
>                 Key: CB-12566
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Plugin WKWebViewEngine
>            Reporter: Sondre Bjellås
>            Assignee: Shazron Abdullah
> When adding the WKWebView plugin to a Cordova project, the CSP meta-tag in externally
hosted HTML file is probably not used/parsed, or there is another way to configure CSP for
the plugin?
> Have a working app using the default web view engine on iOS, when it is replaced with
the WKWebView, the app will log thousands of messages to the console. The error also results
in Cordova runtime and plugins not being loaded and not working in the app.
> The plugin is added with the following elements in config.xml:
> <feature name="CDVWKWebViewEngine">
> 	<param name="ios-package" value="CDVWKWebViewEngine" />
> </feature>
> <preference name="CordovaWebViewEngine" value="CDVWKWebViewEngine" />
> <plugin name="cordova-plugin-wkwebview-engine" spec="~1.1.2" />
> To see this behavior, simply run the project in the simulator, and then debug using Safari
and connect to simulator.
> Output in Web Inspect in Safari:
> [blocked] The page at about:blank was not allowed to display insecure content from gap://ready.
> This is the current content of the CSP, have attempted many different variations with
no success:
> <meta http-equiv="Content-Security-Policy" content="frame-src * gap://ready; default-src
'self' gap://ready file://* *; connect-src * blob: data:; style-src * 'unsafe-inline'; script-src
* 'unsafe-eval' 'unsafe-inline'; img-src data: *">
> (CSP header taken from this issue:
> The errors is not logged when the index.html within the app is loaded, but appears when
externally linked HTML is loaded. Redirect is done using JavaScript code that changes window.location.href.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message