Content Security Policy

We’ve just uploaded 6.3.0.5. It has changes to how Content Security Policy (CSP) works.

A CSP is required for PhoneGap apps. If you do not supply one, AppStudio will fill in a very loose and insecure policy. You will need to define a better one and put it in Project Properties, in the PhoneGap section. Read this to learn more about Content Security Policies: https://developers.google.com/web/fundamentals/security/csp/

Web Apps do not currently need a CSP. However, if you would like to define one, put it in the extraheaders property.

Please give 6.3.05 a try and see if this works for you!

Seems all right.
Already before the recent updates I noticed that sometimes, when I change a property of a control (jqm?) the design screen disappears / becomes white. Clicking here and there does not help immediately. After some time, could be a minute or more, the design screen reappears with the altered control. It could be that the disappearing of controls now happens more often and reappearing takes even more time.
Bernd

Is this related to Content Security Policy? If not, could you put it in a new Topic?

Probably not related.

If I put a meta tag with csp into extraheaders: would this be sufficient for Phonegap too?
If not, what can I write into the csp property? Just e.g. : script-src ‘self’ https://… ?
Bernd

Yes, you can put a complete meta line into extraheaders: it will do the same thing as supplying a CSP in Project Properties.

@Leader
Great. Thanks. I meanwhile tried with meta tag in extraheaders and see that it works in web app. Not worth while yet testing apk because I am still struggling with refused loading of img files.
Bernd

This meta tag does it finally without violations and errors. Feel free if you think it useful as an example in your docs:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.css 'unsafe-inline'; script-src 'self' https://unpkg.com/leaflet@1.2.0/dist/leaflet.js 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com; connect-src 'self' https://*.tile.openstreetmap.org https://unpkg.com">

When csp is provided by meta tag in extraheaders: can ‘none’ stay in csp property? Or leave blank?
Bernd

(I edited your post to add the angle brackets. Use the </> icon for this)

‘none’ does not do anything anymore - don’t use it. Just leave CSP blank.

When I leave it blank, then the app (apk) does not show the map. I did a new build, again with ‘none’. Result: map is on display.
Bernd

That’s interesting. Next step is to compare the source code which is generated each way. It looks the same to me here - is it different in your case?

This is an unrelated issue. Chrome is objecting to something which the iscroll library is doing.