Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security Policy violation #6

Closed
illegalprime opened this issue May 17, 2016 · 6 comments
Closed

Content Security Policy violation #6

illegalprime opened this issue May 17, 2016 · 6 comments

Comments

@illegalprime
Copy link

When plugin attempts to load the Cordova files, I receive an error:

Refused to load the script
'data:text/javascript;base64,Ly8gUGxhdGZvcm06IGFuZHJvaWQKLy8gYzUxN2NhODExYjQ…'
because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://…"

Is there a way to load the cordova apis without changing my csp?

@bradleyjames
Copy link
Collaborator

Off the top of my head no. I haven't dug into CSP enough to know if you this could be locked down to just allow the app to inject.

If you go ahead and modify your CSP let me know what you end up with. I'll get something in the README on the topic.

@illegalprime
Copy link
Author

^ This is what I came up with, what do you think?

@bradleyjames
Copy link
Collaborator

After digging around a bit I think I'm ok with the change but I need to do some testing before I merge it. In short, your update works because you have 'unsafe-inline' already in your CSP which is required to load the javascript: URL. The issue you ran into was I was loading the script via a data URL which is prevented unless the CSP specifies data: (which Mozilla highly discourages).

Thanks for the fix! If all goes well with my testing I'll merge it in the next day or two.

@illegalprime
Copy link
Author

Great info, thanks for your quick responses!

@bradleyjames
Copy link
Collaborator

@illegalprime is it impossible to update your CSP?

What you'd need is:

script-src 'self' data:;

The default index.html generated by cordova contains something similar but actually opens up to all data URLs for the current site (the plugin works out of the box with it):

default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; ...

The innerHTML change isn't awful but it feels dirty. I'd rather be explicit about how the library gets injected and also not have it stop working one day because the innerHTML hole got plugged by some browser update.

Sorry for waffling so much on this but I'd rather leave things as is and update the documentation to more clearly state the injection requirements.

@bradleyjames
Copy link
Collaborator

I've updated the README. Thanks for the report and forcing me to learn a little bit. ;) If we find it to be a more serious issue I'm fine revisiting but I'd prefer the site owner to update their CSP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants