Thanks in advance.
I'm a little bit stopped and frustrated with phaser and it's cache system that it seems can't load resources with protocol "file://".
Normally it is not a problem because it runs on a browser online using "http" or "https" protocol, that works perfectly.
Anyone knows how to solve this?
This is my code, usually way to cache resources:
preload: function(){
game.load.image('background', 'white.jpg');
game.load.image('ball', 'bubble256.png');
game.load.audio('explode', 'explosion.ogg');
}
And the code running inside webview looks like this:
https://imgur.com/a/wOxzKiD
I had a simar issue. In my case, I added 'blob:' to img-src inside meta in index.html
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content: blob:;">
Related
Having tried all that I could, finally I resort here for some expert advice.
This can't be a complex problem for someone like you to solve. Quite sure it's an easy tackle for you!
The error pooping on the screen is as follows
Following is the meta tag that the app has:
<meta http-equiv="Content-Security-Policy"
content="default-src 'none'; connect-src 'self';font-src 'self'; img-src 'self' data: https:; style-src 'self' ; script-src 'self'">
Tried to find the favicon.ico, but couldn't find any.
My head is spinning now!
Looking forward for your help!
Thanks a TON!
The CSP you shown does contain the img-src, so Chrome console warn means this CSP does not acts on the page, but on page does act some another CSP.
Looks like your app does issue a default CSP somewhere and this CSP does not contain img-src directive.
So you do have 2 CSPs at the same time, in this case acts more restrictive one.
Check the presence the second <meta http-equiv="Content-Security-Policy" tag (in the HTML code) or HTTP header Content Security Policy (in the dev tool).
Alternatively you could remove your:
<meta http-equiv="Content-Security-Policy"
content="default-src 'none'; connect-src 'self';font-src 'self'; img-src 'self' data: https:; style-src 'self' ; script-src 'self'">
and to see that the same warns still presence in the Chrome console because of second CSP.
Updated: after some researches it was found a real reason of /favicon blocking for the above case.
<meta http-equiv="Content-Security-Policy"
content="default-src 'none'; connect-src 'self';font-src 'self'; img-src 'self' data: https:; style-src 'self' ; script-src 'self'">
Seeing this code:
You have set default-src 'none' and overriding it with img-src 'self' data: https:.
But the protocol in use is http.
I use plugin cordova-plugin-fetch to fetch data from URL/JSON.
This data is correctly fetched (cors is set to true)
In the next step, I add URL to style like background.
this tags dont work:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *; img-src * " />
item.style.backgroundImage = `url("${resp.image}")`;
resp.image have correctly path, which work corretly in app open with browser.
But inbuilt images not display, added like above or like src to the image, where is the problem?
I am new to metabase. I have downloaded the metabase source code and hosted it in the Ubuntu 16.04 LTS server.When I am starting the Metabase server with the "lein ring server" command, I get "java.awt.HeadlessException". I have read some where in the github issues only that it can be ignored. Front end is built with "yarn run build-hot" command. When accessing the front end from the browser, I get the following errors
Refused to load the script
'http://locahost:8080/app/dist/vendor.hot.bundle.js?222bfa78ab06d868cbf4'
because it violates the following Content Security Policy directive:
"script-src 'unsafe-inline' 'unsafe-eval' 'self'
https://maps.google.com https://apis.google.com
https://www.google-analytics.com https://*.googleapis.com
*.gstatic.com localhost:8080".
Refused to load the script
'http://locahost:8080/app/dist/app-main.hot.bundle.js?222bfa78ab06d868cbf4'
because it violates the following Content Security Policy directive:
"script-src 'unsafe-inline' 'unsafe-eval' 'self'
https://maps.google.com https://apis.google.com
https://www.google-analytics.com https://*.googleapis.com
*.gstatic.com localhost:8080".
Its seems like CSP issue. U can fix this problem using
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://www.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com; style-src 'unsafe-inline' 'self' https://www.google.com; connect-src 'self' https://api.gole.in;img-src 'self' https://www.google.co.in/ads/ga-audiences; font-src 'self' data: https://fonts.gstatic.com;">
How to allow eval()?
I'm sure many people would say that you don't, since 'eval is evil' and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site's security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:
content="script-src 'unsafe-eval'"
Reference Link : https://content-security-policy.com/
I am getting the following error on my page:
Refused to load the script 'http://127.0.0.1:35729/livereload.js' because it violates the following Content Security Policy directive: "script-src https: 'unsafe-inline' 'unsafe-eval'".
HTML
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;">
</head>
<body>
<script src="http://127.0.0.1:35729/livereload.js"></script>
I have tried to use a completely open just to get it working and then work backwards, however I even get the same error with this.
To be clear, this isn't for producition code, this is just to enable my live-reload-webpack on a domain that is using https.
You can use localhost:, though I believe using 'self' (including the single quotes) would also suffice in this situation. There are some odd cases where * is not actually all-inclusive (blob: for example is also excluded from * I believe).
As always it's good to check out your CSP with Google's Evaluator first.
Developing an app on version 5 of cordova (using the phonegap framework). The latest updates request you use a Content-Security-Policy meta tag as per their documentation: https://github.com/apache/cordova-plugin-whitelist
Here's my tag for the app:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.com">
When I include this everything works fine except console.log messages do not get pushed to terminal when running "phonegap serve" (a tool provided to 'test' your app using an app pre-installed on your device).
However if i remove the tag from my code then console.log messages get pushed to terminal correctly but i can no longer make data requests to my example.com domain.
I've tried many variances using http://content-security-policy.com/ as a guide but i can't get it to work correctly.
Note: This is a new facility in v5 of cordova, as previously this was all working without a problem.
Here an example of my settings in Content-Security-Policy. I don't have * in production, but then I have * replaced with all accepted locations.
Also I needed to add gap://ready for the IOS platform. Not quite sure why this needed, but when I debugged on IOS I saw that it threw an error on gap://ready.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' * gap://ready; style-src 'self' 'unsafe-inline' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *">
With above line my console.log() message do appear.