breautek edited a comment on issue #560: Content-security-policy bug URL: https://github.com/apache/cordova-android/issues/560#issuecomment-533932077 I've looked into this a bit deeper, and creating my own test server to use as the CSP policy must come from http headers for `frame-ancestors`. I've ran tests both on Cordova & Desktop. Desktop appears to run fine, including when the page is loaded through the `file://` protocol (ie just opening a html page from the filesystem). Mobile appears to disallow this. The protocol must not be `file://` in my tests. Which means the page needs to be loaded from a place other than the file system. This is a problem with the default webview provided by Cordova as files are... loaded from the filesystem directly. A proof case is to have the following inside your `config.xml` ```xml ... <content src="http://remote.example.com/outer.html"; /> ``` Here, the app content `outer.html` will be loaded from the webserver, and `location.origin` will have a `http://` origin path. The CSP policy will behave properly in this case. Do note that this config **IS NOT** recommended if you use cordova APIs and plugins due to app store policies regarding executing native APIs remotely. This is just for proof that `frame-ancestors` CSP works under a `http` origin vs `file` origin. I don't know if this is an issue Cordova will fix, but basically using `frame-ancestors` CSP rules will not work with the default android webview. ### Any Workarounds? I have tested the [Ionic Webview](https://github.com/ionic-team/cordova-plugin-ionic-webview) with this, I know this webview provides some kind of proxy support so that files are not "loaded" from the filesystem and is instead loaded through the `http/s` protocol (or whatever [Scheme](https://github.com/ionic-team/cordova-plugin-ionic-webview#scheme) you choose... And `frame-ancestors` CSP policy does appear to work properly using the ionic webview due to their scheme implementation. Note that I am not very familiar with the Ionic webview and any questions specifically about the webview I probably cannot answer, but I do know that even though it's made by Ionic, you don't need to use the ionic framework to use the webview. I've provided a screenshot of the [reproduction repo](https://github.com/blukis/bugdemo-cordova-android-issue-560/) using the ionic webview.  And my changes can be found [here](https://github.com/blukis/bugdemo-cordova-android-issue-560/pull/1/files)
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
