Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
881 views
in Technique[技术] by (71.8m points)

ionic framework - Cordova Content Security Policy

I have a Cordova app and after upgrading (5.0.0) it I'm unable to call any resource at all. I've added the whitelist plugin and added the following tag to index.html

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.azure-mobile.net localhost:1337 *.ajax.aspnetcdn.com">

I got the following errors:

Refused to load the script 'http://ajax.aspnetcdn.com/ajax/mobileservices/MobileServices.Web-1.2.5.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.azure-mobile.net localhost:1337 *.ajax.aspnetcdn.com".

Refused to load the script 'http://localhost:1337/vorlon.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.azure-mobile.net localhost:1337 *.ajax.aspnetcdn.com".

I've tried with the default policy that should allow everything, but still no luck.

I've also added the following to my config.xml file

<access origin="*" />
<allow-navigation href="*" />

and using the following plugins:

C:ProjectsTavlaApp>cordova plugin
com.microsoft.azure-mobile-services 1.2.7 "Windows Azure Mobile Services"
cordova-plugin-whitelist 1.0.1-dev "Whitelist"
nl.x-services.plugins.calendar 4.3.4 "Calendar"
nl.x-services.plugins.insomnia 4.0.1 "Insomnia (prevent screen sleep)"
org.apache.cordova.inappbrowser 0.6.0 "InAppBrowser"

Any idea's what to try?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Wildcards are accepted, but only as a scheme, a port, or in the leftmost position of the hostname:

*://*.example.com:* 

...this would match all subdomains of example.com (but not example.com itself), using any scheme, on any port.

The key here, for you, might be the part in bold above.

You're specifying:

localhost:1337

*.ajax.aspnetcdn.com

But yet calling

http://ajax.aspnetcdn.com

http://localhost:1337

Maybe change to

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.azure-mobile.net http://localhost:1337 http://ajax.aspnetcdn.com">

I'm specifying port, but you could replace "http" with *

Hopefully this helps, or leads you in right direction.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...