Nice tips Kerri! Thanks for the blog post Ray! Link for the lazy http://www.raymondcamden.com/2015/05/25/important-information-about-cordova-5
On Sun, May 24, 2015 at 5:36 PM, Raymond Camden <raymondcam...@gmail.com> wrote: > No worries -I appreciate the MDN link though - certainly better than > the old HTML5 rocks article. I'm blogging on the CSP changes (I had > misunderstood them) based on conversations I had with Nic Raboy over > on his blog post on the topic. Will post back here so folks can tell > me if i screwed up. ;) > > > On Sun, May 24, 2015 at 7:33 PM, Kerri Shotts <kerrisho...@gmail.com> > wrote: > > That's what I get for making assumption on other parts of the syntax. ;-) > > Wildcards just don't automatically apply everywhere (sigh), even if they > > look like they could. Bad brain, bad brain! More coffee needed! > > > > > > > > > > On May 24, 2015 at 7:31:08 PM, Kerri Shotts (kerrisho...@gmail.com) > wrote: > > > > My bad! Clearly I glitched on that. You can wildcard subdomains and > ports, > > but not url schemes: > > > > http://www.w3.org/TR/CSP/#source-list-syntax > > > > I'm going to blame my headache for that one! ;-) > > > > > > > > > > On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcam...@gmail.com) > > wrote: > > > > Shoot, no, that doesn't work either. It gives: > > > > > > The source list for Content Security Policy directive 'script-src' > > contains an invalid source: '*://code.jquery.com'. It will be ignored. > > > > On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts <kerrisho...@gmail.com> > wrote: > >> Ray, > >> > >> According to > >> > >> > https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives > , > >> if you omit the URL scheme, the one the page is using is assumed. So if > >> you're loading off file://, then your CSP will assume that URLs without > >> schemes will also be coming from file://. Which is my guess as to why > the > >> code is failing? (Unless you're serving from http://, in which case, I > >> would > >> expect your CSP to work.) > >> > >> If you want wildcard behavior, you can use *://code.jquery.com instead. > >> > >> > >> > >> > >> On May 24, 2015 at 2:24:05 PM, Raymond Camden (raymondcam...@gmail.com) > >> wrote: > >> > >> According to the HTML5 Rocks article on CSP > >> ( > http://www.html5rocks.com/en/tutorials/security/content-security-policy/) > >> you can specify just the host portion. So I tried this to load jQuery > >> (which, I wouldn't do normally, I'd host it locally): > >> > >> <meta http-equiv="Content-Security-Policy" content="default-src 'self' > >> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' > >> 'unsafe-inline'; media-src *; script-src 'self' code.jquery.com; > >> connect-src http://www.cnn.com";> > >> > >> This does not work though. If I change it to http://code.jquery.com, > >> it works fine. Is this simply a bug with the HTML5 Rocks article or a > >> misunderstanding on my part? > >> > >> -- > >> > >> > =========================================================================== > >> Raymond Camden, Developer Advocate for MobileFirst at IBM > >> > >> Email : raymondcam...@gmail.com > >> Blog : www.raymondcamden.com > >> Twitter: raymondcamden > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >> For additional commands, e-mail: dev-h...@cordova.apache.org > >> > > > > > > > > -- > > > =========================================================================== > > Raymond Camden, Developer Advocate for MobileFirst at IBM > > > > Email : raymondcam...@gmail.com > > Blog : www.raymondcamden.com > > Twitter: raymondcamden > > > > -- > =========================================================================== > Raymond Camden, Developer Advocate for MobileFirst at IBM > > Email : raymondcam...@gmail.com > Blog : www.raymondcamden.com > Twitter: raymondcamden > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
