No worries -I appreciate the MDN link though - certainly better than the old HTML5 rocks article. I'm blogging on the CSP changes (I had misunderstood them) based on conversations I had with Nic Raboy over on his blog post on the topic. Will post back here so folks can tell me if i screwed up. ;)
On Sun, May 24, 2015 at 7:33 PM, Kerri Shotts <kerrisho...@gmail.com> wrote: > That’s what I get for making assumption on other parts of the syntax. ;-) > Wildcards just don’t automatically apply everywhere (sigh), even if they > look like they could. Bad brain, bad brain! More coffee needed! > > > > > On May 24, 2015 at 7:31:08 PM, Kerri Shotts (kerrisho...@gmail.com) wrote: > > My bad! Clearly I glitched on that. You can wildcard subdomains and ports, > but not url schemes: > > http://www.w3.org/TR/CSP/#source-list-syntax > > I’m going to blame my headache for that one! ;-) > > > > > On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcam...@gmail.com) > wrote: > > Shoot, no, that doesn't work either. It gives: > > > The source list for Content Security Policy directive 'script-src' > contains an invalid source: '*://code.jquery.com'. It will be ignored. > > On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrisho...@gmail.com> wrote: >> Ray, >> >> According to >> >> https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, >> if you omit the URL scheme, the one the page is using is assumed. So if >> you’re loading off file://, then your CSP will assume that URLs without >> schemes will also be coming from file://. Which is my guess as to why the >> code is failing? (Unless you’re serving from http://, in which case, I >> would >> expect your CSP to work.) >> >> If you want wildcard behavior, you can use *://code.jquery.com instead. >> >> >> >> >> On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcam...@gmail.com) >> wrote: >> >> According to the HTML5 Rocks article on CSP >> (http://www.html5rocks.com/en/tutorials/security/content-security-policy/) >> you can specify just the host portion. So I tried this to load jQuery >> (which, I wouldn't do normally, I'd host it locally): >> >> <meta http-equiv="Content-Security-Policy" content="default-src 'self' >> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' >> 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; >> connect-src http://www.cnn.com";> >> >> This does not work though. If I change it to http://code.jquery.com, >> it works fine. Is this simply a bug with the HTML5 Rocks article or a >> misunderstanding on my part? >> >> -- >> >> =========================================================================== >> Raymond Camden, Developer Advocate for MobileFirst at IBM >> >> Email : raymondcam...@gmail.com >> Blog : www.raymondcamden.com >> Twitter: raymondcamden >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org >> For additional commands, e-mail: dev-h...@cordova.apache.org >> > > > > -- > =========================================================================== > Raymond Camden, Developer Advocate for MobileFirst at IBM > > Email : raymondcam...@gmail.com > Blog : www.raymondcamden.com > Twitter: raymondcamden -- =========================================================================== Raymond Camden, Developer Advocate for MobileFirst at IBM Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: raymondcamden --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
