-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy violation #6
Comments
Off the top of my head no. I haven't dug into CSP enough to know if you this could be locked down to just allow the app to inject. If you go ahead and modify your CSP let me know what you end up with. I'll get something in the README on the topic. |
^ This is what I came up with, what do you think? |
After digging around a bit I think I'm ok with the change but I need to do some testing before I merge it. In short, your update works because you have Thanks for the fix! If all goes well with my testing I'll merge it in the next day or two. |
Great info, thanks for your quick responses! |
@illegalprime is it impossible to update your CSP? What you'd need is:
The default index.html generated by cordova contains something similar but actually opens up to all data URLs for the current site (the plugin works out of the box with it):
The innerHTML change isn't awful but it feels dirty. I'd rather be explicit about how the library gets injected and also not have it stop working one day because the innerHTML hole got plugged by some browser update. Sorry for waffling so much on this but I'd rather leave things as is and update the documentation to more clearly state the injection requirements. |
I've updated the README. Thanks for the report and forcing me to learn a little bit. ;) If we find it to be a more serious issue I'm fine revisiting but I'd prefer the site owner to update their CSP. |
When plugin attempts to load the Cordova files, I receive an error:
Is there a way to load the cordova apis without changing my csp?
The text was updated successfully, but these errors were encountered: