Ray, According to https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, if you omit the URL scheme, the one the page is using is assumed. So if you’re loading off file://, then your CSP will assume that URLs without schemes will also be coming from file://. Which is my guess as to why the code is failing? (Unless you’re serving from http://, in which case, I would expect your CSP to work.)
If you want wildcard behavior, you can use *://code.jquery.com instead. On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcam...@gmail.com) wrote: According to the HTML5 Rocks article on CSP (http://www.html5rocks.com/en/tutorials/security/content-security-policy/) you can specify just the host portion. So I tried this to load jQuery (which, I wouldn't do normally, I'd host it locally): <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; connect-src http://www.cnn.com";> This does not work though. If I change it to http://code.jquery.com, it works fine. Is this simply a bug with the HTML5 Rocks article or a misunderstanding on my part? -- =========================================================================== Raymond Camden, Developer Advocate for MobileFirst at IBM Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: raymondcamden --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
