[
https://issues.apache.org/jira/browse/CB-11341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jcesarmobile closed CB-11341.
-----------------------------
Resolution: Not A Problem
What prevents the plugin from working is not having gap: in the
Content-Security-Policy.
Might be a security risk, but it's apple who controls the
Content-Security-Policy, so you should report it to them
> iOS camera access affected by frame-src
> ---------------------------------------
>
> Key: CB-11341
> URL: https://issues.apache.org/jira/browse/CB-11341
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-plugin-camera
> Affects Versions: 2.2.0
> Environment: iOS 8.4 - iPhone 4S
> Reporter: Tim
> Priority: Minor
> Labels: iOS, triaged
>
> On iOS - when the frame-src directive is set to 'self' in the Content
> Security Policy meta-tag it suppresses the alert provided to users so that
> they can enable their camera.
> <meta http-equiv="Content-Security-Policy" content="frame-src: 'self'" />
> Furthermore, If the app is suspended and resumed, the alert will then pop-up
> on the screen.
> This could indicate a security risk, because the camera alert can bypass
> frame-src.
> How to reproduce:
> 1. Install camera plugin 2.2.0
> > cordova plugin add cordova-plugin-camera
> 2. Modify frame-src to 'self' in the content-security-policy meta-tag in
> index.html
> 3. Build iOS
> > cordova build ios
> 4. The camera access alert won't display when the app loads
> 5. Suspend the camera app using the home button. Return to the app. The
> camera access alert will now display.
> Expected behavior:
> The camera plugin should not be affected by the Content Security Policy. And
> "Cordova build ios" should catch poorly formatted CSP meta tags.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
