[
https://issues.apache.org/jira/browse/CB-12669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Schmidt updated CB-12669:
---------------------------------
Description:
Including the cordova script seems to cause a CSP violation on windows:
with
{code}
<meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-eval';">
<script src="cordova.js"></script>
{code}
the following error message appears on the Windows platform:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in
<meta http-equiv="Content-Security-Policy">: inline script. Resource will be
blocked.
{code}
this message disappears on commenting the cordova.js script tag out
The same source code works on the other platform iOS & Android without a
problem, i.e. the cordova.js seems to have problematic windows-specific code.
For security reasons we don't want to add the "unsafe-inline" flag to the csp.
was:
Including the cordova script seems to cause a CSP violation on windows:
with
{code}
<meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-eval';">
<script src="cordova.js"></script>
{code}
the following error message appears:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in
<meta http-equiv="Content-Security-Policy">: inline script. Resource will be
blocked.
{code}
this message disappears on commenting the cordova.js script tag out
The same source code works on the other platform iOS & Android without a
problem, i.e. the cordova.js seems to have problematic windows-specific code.
For security reasons we don't want to add the "unsafe-inline" flag to the csp.
> cordova.js contains inline script on windows - CSP violation, potentially
> insecure
> ----------------------------------------------------------------------------------
>
> Key: CB-12669
> URL: https://issues.apache.org/jira/browse/CB-12669
> Project: Apache Cordova
> Issue Type: Bug
> Components: Windows
> Environment: cordova: 6.5.0
> cordova-windows: 4.4.3
> cordova-android 6.1.2
> cordova-ios 4.3.1
> Reporter: Michael Schmidt
>
> Including the cordova script seems to cause a CSP violation on windows:
> with
> {code}
> <meta http-equiv="Content-Security-Policy" content="script-src 'self'
> 'unsafe-eval';">
> <script src="cordova.js"></script>
> {code}
> the following error message appears on the Windows platform:
> {code}
> CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in
> <meta http-equiv="Content-Security-Policy">: inline script. Resource will be
> blocked.
> {code}
> this message disappears on commenting the cordova.js script tag out
> The same source code works on the other platform iOS & Android without a
> problem, i.e. the cordova.js seems to have problematic windows-specific code.
> For security reasons we don't want to add the "unsafe-inline" flag to the csp.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
