I just did a search for a topic on where the Content Security Policy is defined in AppStudio project. I was sure it was a project property that I set many months ago. I need to refine the policy, etc. Where do I find it?
It’s in Project Properties, in the VoltBuilder and Cordova section.
The location was changed since version 7. I’m not sure that it makes sense to remove the creation of CSP for non-volt/voltbuilder apps.
I just double checked a web app (PWA) I created with AppStudio last September with version 7 and it has the content-security-policy tag.
I really think the CSP property should be moved back to the project common properties and have the CSP generated as a META tag, if specified. EG, if the CSP is empty, don’t create the meta tag.
Good point. It will be moved in the next build.
When building a PWA app, the META tag is currently not created. Not sure that point was obvious.
Which META tag are you referring to?
In version 126.96.36.199, I specified a CSP in the project properties. It was included in my PWA web app in the index.html at the beginning as:
<!DOCTYPE HTML> <html lang=en> <head> <meta charset="utf-8"> <title>Project4</title> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: ; connect-src 'self' https://*.theweedwerx.com https://theweedwerx.com https://01vjio2jbd.execute-api.us-east-2.amazonaws.com http://01vjio2jbd.execute-api.us-east-2.amazonaws.com https://cognito-identity.us-east-2.amazonaws.com/ http://www.theweedwerx.com.s3-website.us-east-2.amazonaws.com https://www.theweedwerx.com.s3-website.us-east-2.amazonaws.com ws://localhost:* ; media-src 'self' https://polly.us-east-2.amazonaws.com"> <meta name="generator" content="NSB/AppStudio 188.8.131.52$gqkj" /> <meta name='date' content='2019-09-11 12:25:06.476000' /> <meta name='Description' content='Project4' /> <meta name='version' content='1.0.0' /> <meta name='viewport' content='width=device-width, initial-scale=1, user-scalable=no viewport-fit=cover' />
In 184.108.40.206 the CSP meta tag is not present for a deploy to local folder of an app with CSP in the properties in the Voltbuilder/Cordova properties section.
No problem - that’s easily added.
The property was moved in 220.127.116.11, but the Meta tag above is not being created on deploy to local folder.
Thanks - we’ll fix that right away.
I just tried a deploy to a local folder. The content-security-policy shows up nicely.
Any idea how I can reproduce what you are seeing?
This is a simple project. It has a CSP defined, but no Meta Tag in the Run - deploy to local folder, Index.html file. Version 18.104.22.168 Windows 10 64 bit.
Project1.appstudio.zip (19.7 KB)
Thank you - your project shows the issue. We’ll fix it.
22.214.171.124 has been released - it fixes this issue.
Yes, the CSP is now showing up in Run in Desktop Browser and Deploy to Local folder.
However, if you look at the index.html listed in part above from Version 126.96.36.199, you’ll notice the CSP is defined prior to all the link tags. In 188.8.131.52, the CSP is defined after all of the links.
IMHO, the CSP tag should be moved up in the HTML Header to be one of the first tags, as the CSP only takes effect once it is sequentially processed. And all the links are listed before the CSP, so they won’t be scrutinized by the CSP.
According to the specs:
Anything included BEFORE the content-security-policy is NOT subject to the CSP and the CSP will only be applied to items included after the CSP it is therefore recommended that the CSP meta tag be as close to the top of the html header as possible.
Thanks for finding the specs on this.
The CSP declaration is moved up in the next build.
We just uploaded AppStudio 184.108.40.206. The CSP is now declared before any files are loaded.
Confirmed for both Start in Desktop Browser and Deploy to Local Folder. If no CSP, then no meta tag is created. If CSP is specified, the meta tag is included before the link tags. I would have put the meta CSP tag directly after the head tag, but this works. CSP is now operational again for web apps.
Thanks for the good news!