My bad! Clearly I glitched on that. You can wildcard subdomains and ports, but not url schemes:
http://www.w3.org/TR/CSP/#source-list-syntax I’m going to blame my headache for that one! ;-) On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcam...@gmail.com) wrote: Shoot, no, that doesn't work either. It gives: The source list for Content Security Policy directive 'script-src' contains an invalid source: '*://code.jquery.com'. It will be ignored. On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrisho...@gmail.com> wrote: > Ray, > > According to > https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, > > if you omit the URL scheme, the one the page is using is assumed. So if > you’re loading off file://, then your CSP will assume that URLs without > schemes will also be coming from file://. Which is my guess as to why the > code is failing? (Unless you’re serving from http://, in which case, I would > expect your CSP to work.) > > If you want wildcard behavior, you can use *://code.jquery.com instead. > > > > > On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcam...@gmail.com) > wrote: > > According to the HTML5 Rocks article on CSP > (http://www.html5rocks.com/en/tutorials/security/content-security-policy/) > you can specify just the host portion. So I tried this to load jQuery > (which, I wouldn't do normally, I'd host it locally): > > <meta http-equiv="Content-Security-Policy" content="default-src 'self' > data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' > 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; > connect-src http://www.cnn.com";> > > This does not work though. If I change it to http://code.jquery.com, > it works fine. Is this simply a bug with the HTML5 Rocks article or a > misunderstanding on my part? > > -- > =========================================================================== > Raymond Camden, Developer Advocate for MobileFirst at IBM > > Email : raymondcam...@gmail.com > Blog : www.raymondcamden.com > Twitter: raymondcamden > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > -- =========================================================================== Raymond Camden, Developer Advocate for MobileFirst at IBM Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: raymondcamden
