cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Schmidt (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CB-12669) cordova.js contains inline script on windows - CSP violation, potentially insecure
Date Tue, 18 Apr 2017 13:45:41 GMT
Michael Schmidt created CB-12669:
------------------------------------

             Summary: cordova.js contains inline script on windows - CSP violation, potentially
insecure
                 Key: CB-12669
                 URL: https://issues.apache.org/jira/browse/CB-12669
             Project: Apache Cordova
          Issue Type: Bug
          Components: Windows
         Environment: cordova: 6.5.0
cordova-windows: 4.4.3
cordova-android 6.1.2
cordova-ios 4.3.1
            Reporter: Michael Schmidt


Including the cordova script seems to cause a CSP violation on windows:

with 
{code}
  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
  <script src="cordova.js"></script>
{code}

the following error message appears:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in <meta http-equiv="Content-Security-Policy">:
inline script. Resource will be blocked.
{code}

this message disappears on commenting the cordova.js script tag out

The same source code works on the other platform iOS & Android without a problem, i.e.
the cordova.js seems to have problematic windows-specific code.

For security reasons we don't want to add the "unsafe-inline" flag to the csp.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message