cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Schmidt (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-12669) cordova.js contains inline script on windows - CSP violation, potentially insecure
Date Tue, 18 Apr 2017 13:45:41 GMT

     [ https://issues.apache.org/jira/browse/CB-12669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Schmidt updated CB-12669:
---------------------------------
    Description: 
Including the cordova script seems to cause a CSP violation on windows:

with 
{code}
  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
  <script src="cordova.js"></script>
{code}

the following error message appears on the Windows platform:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in <meta http-equiv="Content-Security-Policy">:
inline script. Resource will be blocked.
{code}

this message disappears on commenting the cordova.js script tag out

The same source code works on the other platform iOS & Android without a problem, i.e.
the cordova.js seems to have problematic windows-specific code.

For security reasons we don't want to add the "unsafe-inline" flag to the csp.

  was:
Including the cordova script seems to cause a CSP violation on windows:

with 
{code}
  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
  <script src="cordova.js"></script>
{code}

the following error message appears:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in <meta http-equiv="Content-Security-Policy">:
inline script. Resource will be blocked.
{code}

this message disappears on commenting the cordova.js script tag out

The same source code works on the other platform iOS & Android without a problem, i.e.
the cordova.js seems to have problematic windows-specific code.

For security reasons we don't want to add the "unsafe-inline" flag to the csp.


> cordova.js contains inline script on windows - CSP violation, potentially insecure
> ----------------------------------------------------------------------------------
>
>                 Key: CB-12669
>                 URL: https://issues.apache.org/jira/browse/CB-12669
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Windows
>         Environment: cordova: 6.5.0
> cordova-windows: 4.4.3
> cordova-android 6.1.2
> cordova-ios 4.3.1
>            Reporter: Michael Schmidt
>
> Including the cordova script seems to cause a CSP violation on windows:
> with 
> {code}
>   <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
>   <script src="cordova.js"></script>
> {code}
> the following error message appears on the Windows platform:
> {code}
> CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in <meta http-equiv="Content-Security-Policy">:
inline script. Resource will be blocked.
> {code}
> this message disappears on commenting the cordova.js script tag out
> The same source code works on the other platform iOS & Android without a problem,
i.e. the cordova.js seems to have problematic windows-specific code.
> For security reasons we don't want to add the "unsafe-inline" flag to the csp.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message