My app works fine on the browser but not on the device:
The ionic app only loads the HTML and CSS but does not load the http requests and run the JS.
In Xcode it's stuck at this point:
2016-06-18 11:43:59.169 waettr[719:414729] Apache Cordova native platform version 4.1.0 is starting.
2016-06-18 11:43:59.170 waettr[719:414729] Multi-tasking -> Device: YES, App: YES
2016-06-18 11:43:59.203 waettr[719:414729] Using UIWebView
2016-06-18 11:43:59.204 waettr[719:414729] [CDVTimer][handleopenurl] 0.057995ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][intentandnavigationfilter] 1.080990ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][gesturehandler] 0.043035ms
2016-06-18 11:43:59.217 waettr[719:414729] [CDVTimer][splashscreen] 12.061000ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][statusbar] 6.388009ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][keyboard] 0.630975ms
2016-06-18 11:43:59.225 waettr[719:414729] [CDVTimer][TotalPluginStartup] 20.883977ms
2016-06-18 11:43:59.366 waettr[719:414729] Resetting plugins due to page load.
2016-06-18 11:44:01.708 waettr[719:414729] Finished load of: file:///var/containers/Bundle/Application/8365EFD8-1FAA-4E82-8DB6-2ADCD8E53A90/waettr.app/www/index.html#/home
I have the following settings:
<access origin="*" />
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
This Tag:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'">
What's my mistake? I'm getting headaches from this...
If you are making Ajax calls to:
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
which I guess is why you have those in your config.xml, then I recommend that you update your Content Security Policy meta tab to include a connect-src declaration. This defines where you can make Ajax calls to.
Try setting the following Content Security Policy:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; connect-src https://maps.googleapis.com http://api.openweathermap.org">
Here I added connect-src and the URLs that I think you are trying to make Ajax requests to. If you'd like more information on this, here's a relevant blog post.
Related
after installing and initializing my firebaseApp, when I try to run the SingInWithPopup function, I get an error saying 'window is not defined'.
I am running the auth function in my service_worker file.
I have my content_security_policy setup like this according to the official doc
"content_security_policy": {
"extension_pages": "script-src 'self'; script-src-elem 'self' https://apis.google.com; object-src 'self';"
}
I'm developing a service with subdomain architecture, but my requests for JS modules gets blocks with any Content-Security-Policy I try (even with just *).
Current URL: http://cod.boardmeister.local/
My head:
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.boardmeister.local"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="./media/style/dist/output.css">
<link rel="stylesheet" href="./media/style/imports.css">
JS:
<script type="module">
import * as components from './components.js';
</script>
Error:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
I'm using NGINX and Firefox.
Also, when I try to import module as an external source:
<script type="module" src="./components.js" charset="utf-8"></script>
I'm getting Content Security Policy: The page’s settings blocked the loading of a resource at http://components.boardmeister.local/dito.min.js (“default-src”).
My components.js
import config from './config.js';
const { Dito } = await import(config.components_url + 'dito.min.js');
I found out that my NGINX config was setting Content-Security-Policy header which overwrote my own set in browser. This is the one that worked for my case:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.boardmeister.local; script-src 'self' 'unsafe-eval' *.boardmeister.local; style-src 'self' 'unsafe-inline'"/>
I am receiving a file from the http response like
http://max.com/test/getDoc?file=Zsdeiyigkbmf=asdasdhhghGthDEGB=b==cd
the pdf exists in the server and on a successful ajax call returns the path in binary array. It HAS to be encrypted I cannot see the actual path. It fetches and downloads the required pdf file directly after the following code is executed -
window.location="http://max.com/test/getDoc?file=Zsdeiyigkbmf=asdasdhhghGthDEGB=b==cd"
Now this code works fine on chrome or any other browser. However, the same code doesn't work in phonegap cordova (version 4.2.0). No error, no message from the client.
As Cordova 5.0.0, it is required you use the whitelist system. As such, you need to know the domainname of the servers you are talking to.
The solution I am going to give you is for general development. This method is NOT for production or final release, as both Google and Apple will reject your app; unless you have a very good reason to us this!
This whitelist worksheet should help.
HOW TO apply the Cordova/Phonegap the whitelist system
It is required as of Cordova Tools 5.0.0 (April 21, 2015). For Phonegap Build, that means since cli-5.1.1 (16 Jun 2015)
Add this to your config.xml
<plugin name="cordova-plugin-whitelist" source="npm" spec="1.1.0" />
<allow-navigation href="*" />
<allow-intent href="*" />
<access origin="*" /> <!-- Required for iOS9 -->
NOTE YOUR APP IS NOW INSECURE. IT IS UP TO YOU TO SECURE YOUR APP.
Add the following to your index.html
<meta http-equiv="Content-Security-Policy"
content="default-src *;
style-src * 'self' 'unsafe-inline' 'unsafe-eval';
script-src * 'self' 'unsafe-inline' 'unsafe-eval';">
I have a problem with the Android 5.0 Lollipop and Google Maps Api, i have an CSP Error of unsafe-eval.
Here is the Error:
https://maps.googleapis.com/maps-api-v3/api/js/22/7/intl/es_ALL/main.js:65
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src * 'unsafe-inline'".
The Code:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'">
Inside my config.xml i have this:
<plugin name="cordova-plugin-whitelist" version="1" />
<access origin="*" />
I have no problems with Android 4.x but just only with 5.x, i know it's because of the Chromium Webview but i can't use the Google Maps because of this error.
What can i do to fix this ?
Thanks !
Try refactoring your Content-Security-Policy meta tag a little, I have the following working in a Cordova 5 / Android 5 app that uses Google Maps (; positions are different from yours:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
I'm using Cordova 3.5.0 on iOS.
My application loads, the 'deviceReady' event is fired, but no plugin actions are executed until I put my app in the background (by going to the homescreen).
When I go back into my app, the 'resume' handler gets fired, logs show up in LLDB and the PushNotification plugin starts listening to events and tries to register push notifications.
Why does this only happen once I have put my app to sleep?
These are the installed plugins (cordova plugins ls):
com.patrickheneise.cordova.statusbar 0.0.2 "Status Bar"
com.phonegap.plugins.PushPlugin 2.2.1 "PushPlugin"
com.phonegap.plugins.actionsheet 1.0.0 "ActionSheet"
org.apache.cordova.console 0.2.10-dev "Console"
org.apache.cordova.dialogs 0.2.9-dev "Notification"
org.apache.cordova.vibration 0.3.10-dev "Vibration"
Thanks in advance.
I had the same problem in my own app with cordova 6.3.0.
After dozens of tests I found the problem.
I had a Content-Security-Policy meta-tag defined like this:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
'unsafe-eval'; media-src *">
It turns out default-src * is not enough.
With the following policy it works:
<meta http-equiv="Content-Security-Policy" content="default-src *
'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval'; media-src *">
The key part here ist the gap:
It seems to be required, to properly execute cordova plugin code on iOS.
But I still find it strange that the policy is influenced by resuming to the app.
Additional note: the problem seems to affect all plugins that are displayed outside the webview. I had it with cordova-plugin-camera, phonegap-plugin-barcodescanner, cordova-plugin-dialogs. Other plugins like cordova-plugin-file-transfer worked just fine.
Tom, although not really an answer as I'm not sure what fixed it, I can confirm that my app no longer does this. This is what I did:
Changed cordova to use 3.3.0 instead of 3.4.0 and at the same time, specified version numbers for my plugins:
<gap:plugin name="org.apache.cordova.console" version="0.2.7" />
<gap:plugin name="org.apache.cordova.contacts" version="0.2.11" />
<gap:plugin name="org.apache.cordova.device" version="0.2.8" />
<gap:plugin name="org.apache.cordova.device-orientation" version="0.3.5" />
<gap:plugin name="org.apache.cordova.dialogs" version="0.2.6" />
<gap:plugin name="org.apache.cordova.file" version="1.0.1" />
<gap:plugin name="org.apache.cordova.file-transfer" version="0.4.2" />
<gap:plugin name="org.apache.cordova.network-information" version="0.2.7" />
<gap:plugin name="org.apache.cordova.vibration" version="0.3.7" />
Then I re-built my app and it worked properly on iOS. So I then upgraded Cordova back to 3.4.0, kept the plugins the same, and it still worked.
So I don't know if it was because of an old plugin version or because I simply downgraded and then upgraded Cordova, but it has now fixed it.
Oh and FYI, I'm using Phonegap Build, so that's why it's easier to down/upgrade Phonegap/Cordova versions.