-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content-security-policy bug #560
Comments
Same problem here! |
Hello, do you have any solution or workaround for this bug? |
I have not found a solution or workaround. The behavior above (which looks like a bug to me) is all I know. Is this cordova's bug? Chrome's? Is this the right place to report this bug? |
Thanks a lot for your issue, however the issue template exists for a reason 😉 Therefore, please edit this issue accordingly or close and create a new one and make sure to provide all the required information. Is this reproducible in a new, plain Cordova app? A minimal reproduction repository would really help to debug and later fix this issue. More information on how to create one: https://github.com/apache/cordova-contribute/blob/master/create-reproduction.md |
Bug description updated above, accordingly. Reproduction repo created at https://github.com/blukis/bugdemo-cordova-android-issue-560/ |
Run the project. |
According to the documentation at MDN, the asteriks should be wrapped in single quotes, So the header should read: Can someone confirm if the issue persists with them? |
The same: |
I checked this in a pure WebView without Cordova. The same experience. |
I've looked into this a bit deeper, and creating my own test server to use as the CSP policy must come from http headers for I've ran tests both on Cordova & Desktop. Desktop appears to run fine, including when the page is loaded through the A proof case is to have the following inside your ...
<content src="http://remote.example.com/outer.html" /> Here, the app content I don't know if this is an issue Cordova will fix, but basically using Any Workarounds?I have tested the Ionic Webview with this, I know this webview provides some kind of proxy support so that files are not "loaded" from the filesystem and is instead loaded through the Note that I am not very familiar with the Ionic webview and any questions specifically about the webview I probably cannot answer, but I do know that even though it's made by Ionic, you don't need to use the ionic framework to use the webview. I've provided a screenshot of the reproduction repo using the ionic webview. And my changes can be found here |
@breautek any workarounds for today besides ionic webview using? |
Not that I know of. I believe it works on ionic's webview because on ionic, you don't use the |
Android works with ionic's view. What about ios? Did it help? |
Did not test ios. So not sure. |
Hi! |
This is the problem.
Not really. The only way to workaround this is to use schemes afaik. Ionic supports this which is why using the ionic webview is a potential workaround. Apache Cordova is hesitant of implementing schemes due to this discussion between Ionic and an Android WebView engineer. This problem may be resolved by #1137 as it's the encouraged alternative to take for schemes but the WebViewAssetLoader requires AndroidX which is a breaking change, so it definitely won't be available any time soon. |
Closing as I believe cordova-android@10 will fix this issue when using the WebAssetLoader (enabled by default). If this issue still persists on cordova-android@10 while using WebAssetLoader schemes, please open a new issue. |
Bug Report
Child iframe in remotely-hosted iframe within cordova app doesn't load, despite appropriate Content-Security-Policy http header in child iframe.
Bug reproduction repository here: https://github.com/blukis/bugdemo-cordova-android-issue-560/
Problem
Child iframe in remotely-hosted iframe within cordova app doesn't load, despite Content-Security-Policy http header in child iframe.
What is expected to happen?
Inner-iframe (iframe border colored blue) is expected to load.
What does actually happen?
Inner-iframe (iframe border colored blue) doesn't load, and appears blank.
Information
Chrome debug console reports...
Command or Code
Build the app (I'm using PhoneGap build, because cordova-proper is beyond my expertise). Bug manifests on initial state of the app when it's run.
Environment, Platform, Device
Android
Version information
Phonegap build, using cli-9.0.0
Checklist
--------
Original post...
I believe I found an issue with content-security-policy in cordova environment...
I have an app that includes this page in an iframe: "http://201x.plurib.us/test/2018/content-security-outer.html", which in turn includes this page in another iframe "http://201x.plurib.us/test/2018/content-security-inner.php". (Note: these are very short pages created to debug this issue. The original page causing the issue was a shopify checkout page, found in the comments of "...outer.html".)
"...inner.php" includes this http header:
Content-Security-Policy: frame-ancestors *
"...outer.html" (and its inner iframe) loads OK in Chrome on Android, but when included the url in a cordova app, "...inner.php" iframe does not load. (Note: app has "cordova-plugin-whitelist" plugin and
<access origin="*" />
).When I enable android debugging and check the remote device console in Chrome, I see this error in the Chrome console:
Maybe I'm missing something, but I'm not sure how anything could fail to pass "frame-ancestors *". Is it a cordova issue? Thanks!
The text was updated successfully, but these errors were encountered: