According to the HTML5 Rocks article on CSP (http://www.html5rocks.com/en/tutorials/security/content-security-policy/) you can specify just the host portion. So I tried this to load jQuery (which, I wouldn't do normally, I'd host it locally):
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; connect-src http://www.cnn.com";> This does not work though. If I change it to http://code.jquery.com, it works fine. Is this simply a bug with the HTML5 Rocks article or a misunderstanding on my part? -- =========================================================================== Raymond Camden, Developer Advocate for MobileFirst at IBM Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: raymondcamden --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
