Content Security Policy


#1

We’ve just uploaded 6.3.0.5. It has changes to how Content Security Policy (CSP) works.

A CSP is required for PhoneGap apps. If you do not supply one, AppStudio will fill in a very loose and insecure policy. You will need to define a better one and put it in Project Properties, in the PhoneGap section. Read this to learn more about Content Security Policies: https://developers.google.com/web/fundamentals/security/csp/

Web Apps do not currently need a CSP. However, if you would like to define one, put it in the extraheaders property.

Please give 6.3.05 a try and see if this works for you!


#2

Seems all right.
Already before the recent updates I noticed that sometimes, when I change a property of a control (jqm?) the design screen disappears / becomes white. Clicking here and there does not help immediately. After some time, could be a minute or more, the design screen reappears with the altered control. It could be that the disappearing of controls now happens more often and reappearing takes even more time.
Bernd


#3

Is this related to Content Security Policy? If not, could you put it in a new Topic?


#4

Probably not related.


#5

If I put a meta tag with csp into extraheaders: would this be sufficient for Phonegap too?
If not, what can I write into the csp property? Just e.g. : script-src ‘self’ https://… ?
Bernd


#6

Yes, you can put a complete meta line into extraheaders: it will do the same thing as supplying a CSP in Project Properties.


#7

@Leader
Great. Thanks. I meanwhile tried with meta tag in extraheaders and see that it works in web app. Not worth while yet testing apk because I am still struggling with refused loading of img files.
Bernd


#8

This meta tag does it finally without violations and errors. Feel free if you think it useful as an example in your docs:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.css 'unsafe-inline'; script-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.js 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com; connect-src 'self' https://*.tile.openstreetmap.org https://unpkg.com">

When csp is provided by meta tag in extraheaders: can ‘none’ stay in csp property? Or leave blank?
Bernd


#9

(I edited your post to add the angle brackets. Use the </> icon for this)

‘none’ does not do anything anymore - don’t use it. Just leave CSP blank.


#10

When I leave it blank, then the app (apk) does not show the map. I did a new build, again with ‘none’. Result: map is on display.
Bernd


#11

That’s interesting. Next step is to compare the source code which is generated each way. It looks the same to me here - is it different in your case?


#13

This is an unrelated issue. Chrome is objecting to something which the iscroll library is doing.