Apache Cordova: CSP Error - javascript

I have a problem with the Android 5.0 Lollipop and Google Maps Api, i have an CSP Error of unsafe-eval.
Here is the Error:
https://maps.googleapis.com/maps-api-v3/api/js/22/7/intl/es_ALL/main.js:65
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src * 'unsafe-inline'".
The Code:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'">
Inside my config.xml i have this:
<plugin name="cordova-plugin-whitelist" version="1" />
<access origin="*" />
I have no problems with Android 4.x but just only with 5.x, i know it's because of the Chromium Webview but i can't use the Google Maps because of this error.
What can i do to fix this ?
Thanks !

Try refactoring your Content-Security-Policy meta tag a little, I have the following working in a Cordova 5 / Android 5 app that uses Google Maps (; positions are different from yours:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

Related

I'm getting this error in chrome extension working with firebase

i want to use firebase in my chrome extension but I'm getting this error .
I have added content-security-policy in manifest file but I'm getting this error.
Refused to load the script 'https://www.gstatic.com/firebasejs/8.9.1/firebase-app.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
my content-security-policy in my manifest file is this
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'https://apis.google.com/' 'https://www.gstatic.com/*' 'https://*.firebaseio.com' 'https://www.googleapis.com' 'https://ajax.googleapis.com'; object-src 'self';"
}
please help me to solve this error

Content Security Policy in Manifest Version 3 for Chrome Extension

I am having trouble migrating my chrome extension from MV2 to MV3. I read through the docs and still don't understand the Content Security Policy aspect of it.
I want to migrate this piece of the manifest.json file:
"content_security_policy": "script-src 'self' https://www.google-analytics.com https://cdn.firebase.com https://apis.google.com https://www.gstatic.com https://kit.fontawesome.com/; object-src 'self'"
So far I have this:
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'"
}
But what about the links
https://www.google-analytics.com https://cdn.firebase.com https://apis.google.com https://www.gstatic.com https://kit.fontawesome.com/

getting error content-security-policy error: refused to create worker

In my angular project. I'm getting below mentioned error
refused to create a worker from 'blob:http://localhost:4200/d8633b89-9f70-4fd6-b08a-e369ccd34273' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.
I know its related Content security policy. I have set up CSP. Here it is
default-src 'self';
script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://*.amazonaws.com;
media-src 'self' data: https://*.amazonaws.com;
connect-src 'self' http://localhost:* ws://localhost:*;
font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data:;
childSrc blob
worker-src blob:
but I'm still getting error.
I believe the semicolons were missing to separate the font-src, child-src (I suppose childSrc is not correct) and worker-src
default-src 'self';
script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net/npm/pdfjs-dist#2.5.207/es5/build/pdf.worker.js;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://*.amazonaws.com;
media-src 'self' data: https://*.amazonaws.com;
connect-src 'self' http://localhost:* ws://localhost:*;
font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data:;
child-src blob:;
worker-src blob:;

Cordova whitelist plugin does not work

My app works fine on the browser but not on the device:
The ionic app only loads the HTML and CSS but does not load the http requests and run the JS.
In Xcode it's stuck at this point:
2016-06-18 11:43:59.169 waettr[719:414729] Apache Cordova native platform version 4.1.0 is starting.
2016-06-18 11:43:59.170 waettr[719:414729] Multi-tasking -> Device: YES, App: YES
2016-06-18 11:43:59.203 waettr[719:414729] Using UIWebView
2016-06-18 11:43:59.204 waettr[719:414729] [CDVTimer][handleopenurl] 0.057995ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][intentandnavigationfilter] 1.080990ms
2016-06-18 11:43:59.205 waettr[719:414729] [CDVTimer][gesturehandler] 0.043035ms
2016-06-18 11:43:59.217 waettr[719:414729] [CDVTimer][splashscreen] 12.061000ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][statusbar] 6.388009ms
2016-06-18 11:43:59.224 waettr[719:414729] [CDVTimer][keyboard] 0.630975ms
2016-06-18 11:43:59.225 waettr[719:414729] [CDVTimer][TotalPluginStartup] 20.883977ms
2016-06-18 11:43:59.366 waettr[719:414729] Resetting plugins due to page load.
2016-06-18 11:44:01.708 waettr[719:414729] Finished load of: file:///var/containers/Bundle/Application/8365EFD8-1FAA-4E82-8DB6-2ADCD8E53A90/waettr.app/www/index.html#/home
I have the following settings:
<access origin="*" />
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
This Tag:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'">
What's my mistake? I'm getting headaches from this...
If you are making Ajax calls to:
<allow-navigation href="https://maps.googleapis.com/*"/>
<allow-navigation href="http://api.openweathermap.org/*"/>
which I guess is why you have those in your config.xml, then I recommend that you update your Content Security Policy meta tab to include a connect-src declaration. This defines where you can make Ajax calls to.
Try setting the following Content Security Policy:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; connect-src https://maps.googleapis.com http://api.openweathermap.org">
Here I added connect-src and the URLs that I think you are trying to make Ajax requests to. If you'd like more information on this, here's a relevant blog post.

Cordova only executes plugins after resume event

I'm using Cordova 3.5.0 on iOS.
My application loads, the 'deviceReady' event is fired, but no plugin actions are executed until I put my app in the background (by going to the homescreen).
When I go back into my app, the 'resume' handler gets fired, logs show up in LLDB and the PushNotification plugin starts listening to events and tries to register push notifications.
Why does this only happen once I have put my app to sleep?
These are the installed plugins (cordova plugins ls):
com.patrickheneise.cordova.statusbar 0.0.2 "Status Bar"
com.phonegap.plugins.PushPlugin 2.2.1 "PushPlugin"
com.phonegap.plugins.actionsheet 1.0.0 "ActionSheet"
org.apache.cordova.console 0.2.10-dev "Console"
org.apache.cordova.dialogs 0.2.9-dev "Notification"
org.apache.cordova.vibration 0.3.10-dev "Vibration"
Thanks in advance.
I had the same problem in my own app with cordova 6.3.0.
After dozens of tests I found the problem.
I had a Content-Security-Policy meta-tag defined like this:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
'unsafe-eval'; media-src *">
It turns out default-src * is not enough.
With the following policy it works:
<meta http-equiv="Content-Security-Policy" content="default-src *
'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval'; media-src *">
The key part here ist the gap:
It seems to be required, to properly execute cordova plugin code on iOS.
But I still find it strange that the policy is influenced by resuming to the app.
Additional note: the problem seems to affect all plugins that are displayed outside the webview. I had it with cordova-plugin-camera, phonegap-plugin-barcodescanner, cordova-plugin-dialogs. Other plugins like cordova-plugin-file-transfer worked just fine.
Tom, although not really an answer as I'm not sure what fixed it, I can confirm that my app no longer does this. This is what I did:
Changed cordova to use 3.3.0 instead of 3.4.0 and at the same time, specified version numbers for my plugins:
<gap:plugin name="org.apache.cordova.console" version="0.2.7" />
<gap:plugin name="org.apache.cordova.contacts" version="0.2.11" />
<gap:plugin name="org.apache.cordova.device" version="0.2.8" />
<gap:plugin name="org.apache.cordova.device-orientation" version="0.3.5" />
<gap:plugin name="org.apache.cordova.dialogs" version="0.2.6" />
<gap:plugin name="org.apache.cordova.file" version="1.0.1" />
<gap:plugin name="org.apache.cordova.file-transfer" version="0.4.2" />
<gap:plugin name="org.apache.cordova.network-information" version="0.2.7" />
<gap:plugin name="org.apache.cordova.vibration" version="0.3.7" />
Then I re-built my app and it worked properly on iOS. So I then upgraded Cordova back to 3.4.0, kept the plugins the same, and it still worked.
So I don't know if it was because of an old plugin version or because I simply downgraded and then upgraded Cordova, but it has now fixed it.
Oh and FYI, I'm using Phonegap Build, so that's why it's easier to down/upgrade Phonegap/Cordova versions.

Categories