Content Security Policy

ghenne · January 19, 2018, 9:37pm

We’ve just uploaded 6.3.0.5. It has changes to how Content Security Policy (CSP) works.

A CSP is required for PhoneGap apps. If you do not supply one, AppStudio will fill in a very loose and insecure policy. You will need to define a better one and put it in Project Properties, in the PhoneGap section. Read this to learn more about Content Security Policies: Content security policy

Web Apps do not currently need a CSP. However, if you would like to define one, put it in the extraheaders property.

Please give 6.3.05 a try and see if this works for you!

Bernd_Sommer · January 20, 2018, 3:17pm

Seems all right.
Already before the recent updates I noticed that sometimes, when I change a property of a control (jqm?) the design screen disappears / becomes white. Clicking here and there does not help immediately. After some time, could be a minute or more, the design screen reappears with the altered control. It could be that the disappearing of controls now happens more often and reappearing takes even more time.
Bernd

ghenne · January 20, 2018, 3:39pm

Is this related to Content Security Policy? If not, could you put it in a new Topic?

Bernd_Sommer · January 20, 2018, 4:18pm

Probably not related.

Bernd_Sommer · January 21, 2018, 10:21pm

If I put a meta tag with csp into extraheaders: would this be sufficient for Phonegap too?
If not, what can I write into the csp property? Just e.g. : script-src ‘self’ https://… ?
Bernd

ghenne · January 22, 2018, 2:45pm

Yes, you can put a complete meta line into extraheaders: it will do the same thing as supplying a CSP in Project Properties.

Bernd_Sommer · January 22, 2018, 5:27pm

@Leader
Great. Thanks. I meanwhile tried with meta tag in extraheaders and see that it works in web app. Not worth while yet testing apk because I am still struggling with refused loading of img files.
Bernd

Bernd_Sommer · January 23, 2018, 5:54pm

This meta tag does it finally without violations and errors. Feel free if you think it useful as an example in your docs:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.css 'unsafe-inline'; script-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.js 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com; connect-src 'self' https://*.tile.openstreetmap.org https://unpkg.com">

When csp is provided by meta tag in extraheaders: can ‘none’ stay in csp property? Or leave blank?
Bernd

ghenne · January 23, 2018, 6:21pm

(I edited your post to add the angle brackets. Use the </> icon for this)

‘none’ does not do anything anymore - don’t use it. Just leave CSP blank.

Bernd_Sommer · January 23, 2018, 11:14pm

When I leave it blank, then the app (apk) does not show the map. I did a new build, again with ‘none’. Result: map is on display.
Bernd

ghenne · January 24, 2018, 12:46pm

That’s interesting. Next step is to compare the source code which is generated each way. It looks the same to me here - is it different in your case?

ghenne · January 26, 2018, 2:14pm

This is an unrelated issue. Chrome is objecting to something which the iscroll library is doing.