Content Security Policy violation

Question

Content Security Policy violation

illegalprime opened this issue 8 years ago · comments

When plugin attempts to load the Cordova files, I receive an error:

Refused to load the script
'data:text/javascript;base64,Ly8gUGxhdGZvcm06IGFuZHJvaWQKLy8gYzUxN2NhODExYjQ…'
because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://…"

Is there a way to load the cordova apis without changing my csp?

Brad Reynolds · Answer 1 · Wed May 18 2016 02:58:26 GMT+0800 (China Standard Time)

Off the top of my head no. I haven't dug into CSP enough to know if you this could be locked down to just allow the app to inject.

If you go ahead and modify your CSP let me know what you end up with. I'll get something in the README on the topic.

Michael Eden · Answer 2 · Wed May 18 2016 03:02:49 GMT+0800 (China Standard Time)

^ This is what I came up with, what do you think?

Brad Reynolds · Answer 3 · Wed May 18 2016 21:33:34 GMT+0800 (China Standard Time)

After digging around a bit I think I'm ok with the change but I need to do some testing before I merge it. In short, your update works because you have 'unsafe-inline' already in your CSP which is required to load the javascript: URL. The issue you ran into was I was loading the script via a data URL which is prevented unless the CSP specifies data: (which Mozilla highly discourages).

Thanks for the fix! If all goes well with my testing I'll merge it in the next day or two.

Michael Eden · Answer 4 · Thu May 19 2016 14:21:35 GMT+0800 (China Standard Time)

Great info, thanks for your quick responses!

Brad Reynolds · Answer 5 · Fri May 20 2016 02:02:03 GMT+0800 (China Standard Time)

@illegalprime is it impossible to update your CSP?

What you'd need is:

script-src 'self' data:;

The default index.html generated by cordova contains something similar but actually opens up to all data URLs for the current site (the plugin works out of the box with it):

default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; ...

The innerHTML change isn't awful but it feels dirty. I'd rather be explicit about how the library gets injected and also not have it stop working one day because the innerHTML hole got plugged by some browser update.

Sorry for waffling so much on this but I'd rather leave things as is and update the documentation to more clearly state the injection requirements.

Brad Reynolds · Answer 6 · Fri May 20 2016 05:05:41 GMT+0800 (China Standard Time)

I've updated the README. Thanks for the report and forcing me to learn a little bit. ;) If we find it to be a more serious issue I'm fine revisiting but I'd prefer the site owner to update their CSP.