Michael Schmidt created CB-12669:
------------------------------------
Summary: cordova.js contains inline script on windows - CSP
violation, potentially insecure
Key: CB-12669
URL: https://issues.apache.org/jira/browse/CB-12669
Project: Apache Cordova
Issue Type: Bug
Components: Windows
Environment: cordova: 6.5.0
cordova-windows: 4.4.3
cordova-android 6.1.2
cordova-ios 4.3.1
Reporter: Michael Schmidt
Including the cordova script seems to cause a CSP violation on windows:
with
{code}
<meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-eval';">
<script src="cordova.js"></script>
{code}
the following error message appears:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in
<meta http-equiv="Content-Security-Policy">: inline script. Resource will be
blocked.
{code}
this message disappears on commenting the cordova.js script tag out
The same source code works on the other platform iOS & Android without a
problem, i.e. the cordova.js seems to have problematic windows-specific code.
For security reasons we don't want to add the "unsafe-inline" flag to the csp.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
