CSP for all HTTP and HTTPS

I have an NSB app that is designed for internal corporate use only. It calls several web services, and for years has only called http:. We now need to support http and https, and https calls are not working

Currently my Content Security policy is empty, so is it safe to assume that https is blocked in this condition? I’d like to open up the ability to call any http or https URL, as they are all managed internally so security is not an issue. Would a CSP like this do the trick? Not exactly sure on the syntax for wildcard http or https.

Thanks for any advice

Here’s the official documentation on content-security-policy and another good article.

Your actual CSP will depend on a lot of things, such as running as a web app or native app. Here’s a real world example - there are lots of others on the net.

default-src 'self' gap://ready file: https://fonts.googleapis.com https://fonts.gstatic.com;  
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;  
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://developers.google.com https://maps.googleapis.com https: ; 
media-src 'self' data: file: ;  img-src 'self' data: android-webview-video-poster: ;  
connect-src https://api.xxx.com https://apidev.xxx.com/ blob: file: data: https: ; 

it runs as both a app and native HTML5. I want to wildcard all http and https and wasnt sure if wildcard is http: https: http://. https://.

if the CSP is left BLANK in NSB does that imply all things are open or do I need to specify https://

Currently a blank CSP works great for http:// my issue is with https:// web services being called within my app

We have tried a ton of different versions on CSP, but no luck, is there any way to debug this at all, We are never getting a callback from GETJSON()

Here are some of the CSP’s we have tried, trying to open things all the way up and then work back

TEST 1-FAIL no connect
default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ filesystem: gap: https: http:;
style-src ‘self’ ‘unsafe-inline’ https: http:; font-src ‘self’ https: http:;
script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’ https: http:; img-src ‘self’ data: https: http:;
connect-src ‘self’ https: http:; media-src ‘self’;">

TEST 2 - FAIL WHITE SCREEN
default-src https: ‘unsafe-inline’;
style-src https: ‘unsafe-inline’;
font-src https: ‘unsafe-inline’;
script-src https: ‘unsafe-inline’;
media-src htttps: ‘unsafe-inline’;
connect-src https: ‘unsafe-inline’;

TEST 3- fail no connect
default-src * ‘unsafe-inline’;
style-src * ‘unsafe-inline’;
font-src * ‘unsafe-inline’;
script-src * ‘unsafe-inline’;
media-src * ‘unsafe-inline’;
connect-src * ‘unsafe-inline’;

TEST 4- error code
default-src *;
style-src *;
font-src *;
script-src *;
media-src *;
connect-src *;

TEST 5- FAIL no connect
default-src ‘self’ https: ‘unsafe-inline’;
style-src ‘self’ https: ‘unsafe-inline’;
font-src ‘self’ https: ‘unsafe-inline’;
script-src ‘self’ https: ‘unsafe-inline’;
media-src ‘self’ htttps: ‘unsafe-inline’;
connect-src ‘self’ https: ‘unsafe-inline’;

TEST 6 -FAIL no connect
default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ filesystem: gap: https:;
style-src ‘self’ ‘unsafe-inline’ https:;
font-src ‘self’ https:;
script-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’ https:;
img-src ‘self’ data: https:;
connect-src ‘self’ https:;
media-src ‘self’;

When I’m figuring out this, I used the Remote Console. It usually gives a good message about what CSP rule is causing the problem.

Our challenge is that some of the security implemented at our customer is preventing us from running Remote console. The devices are on an internal WIFI and the devices (Android Phones) have manually added root and inter certificates. Is there any way to create any type of debug features in a test APP to see what is going on? Right now the app calls GETJSON and just never returns so we are at a dead end. I can manually call the web service that the app is trying to call from the phones browser, but the app is having no luck

I don’t know of any way to see the messages other than the Remote Console. Without knowing what the messages are, we’re playing blind man’s buff.

Thanks! Sorry I didn’t realize it was a holiday for y’all so thanks for the support.

It’s a tough one, the device actually requires a certificate on the Android device and server as it is a internally signed cert making this super challenging. Any thoughts on what the most unrestrictive CSP might be?

Also, I wasn’t sure if it needed to be wrapped with

<meta http-equiv="Content-Security-Policy" content="......

or Just the policies listed when entering the policies in the properties. Right now I’m just entering the policies, but wondering if that is an issue

so which is correct?

<meta http-equiv="Content-Security-Policy" content="
default-src https: 'unsafe-inline';  
style-src https: 'unsafe-inline';  
font-src https: 'unsafe-inline';
script-src https: 'unsafe-inline'; 
media-src htttps: 'unsafe-inline';  
connect-src https: 'unsafe-inline';">

or Just

default-src https: 'unsafe-inline';  
style-src https: 'unsafe-inline';  
font-src https: 'unsafe-inline';
script-src https: 'unsafe-inline'; 
media-src htttps: 'unsafe-inline';  
connect-src https: 'unsafe-inline';

Tip : If you’re pasting code, html or config files, surround the code with triple back ticks (```), before the first line and after the last one. It will be formatted properly. (We fixed it for you this time)

Yes, it does need to be wrapped in a meta tag.

Try running locally on your system to make sure it is at syntactically correct.

To get output on the Remote Console, you need to make a debug build. Can you explain to the client why you need to do this for a very limited test time?

Finally we were able to get permissions correct on our network devices to run debugger and have discovered a way to make this work.

#1- We went back to a blank CSP
#2- App calls JSON in Https: fine as long as the app is built Cordova Command: Run Android --Debug. If we Run Android-- Release HTTPS no longer works

So what is different from an app perspective between Debug and Release? I’m suspecting maybe a blank CSP is an issue, but why it runs in Debug is a mystery

I’m sorry - I don’t know the answer.

Do you have a whitelist defined in your config.xml? Something like this…

<plugin name="cordova-plugin-whitelist" source="npm" />
  <allow-navigation href="*" />
  <access origin="*" />
  <allow-intent href="*" />

Yes,

I few google searches and it looks like DEBUG perhaps ignores al SSL errors, where the RELEASE captures them.

Our problem seems to be SSL related, the customer we are running requires client certificates on the phone itself, so a bit different. We are trying various CSP settings, but most of the time, the app does not return any errors in the debug console .

GetJSON - never returns

AJAX - Responsestatus=0, responsetext=undefined

In Chrome debugger, network window shows the call status “Cancelled”

I have also seen several searches talking about challenges with certificates issues internally (In this case it is an internal corporate cert) and wondering if this is something in the APK that is not recognizing these certs…

FROM: Android APK HTTPS user certificates how-to · GitHub

Starting with Android Nougat, Google changed the way apps handle user certificates:

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

This means that certificates issued by applications like Charles or mitmproxy are no longer accepted, so these proxies won’t work for HTTPS traffic.

This tutorial explains what needs to be done to overcome that restriction and be able to sniff any Android app’s HTTPS requests.

For instructions on how to pull, modify, rebuild and redeploy an Android app, see this tutorial.

I think you’re right that it has something to do with the client’s certificates. The work of building the APK is done by Cordova. I’d look there for possible solutions:

https://cordova.apache.org/docs/en/10.x/guide/appdev/security/

This looks like an interesting thing to try:

<platform name="android">
    <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application" xmlns:android="http://schemas.android.com/apk/res/android">
        <application android:debuggable="true" />
    </edit-config>
</platform>

Brilliant! It works!

We are doing testing on the app to ensure that the remaining production build attributes are ok, but it solved the issue. Thank you for your support, one of the best in the industry!!

What was the actual solution?

adding in the

application android:debuggable=“true” to config.xml

works, and the production build still works as a prod (so it still allows updates without uninstalling the original APK first like you have to do with a normal debug release)