Tonny, here’s a pretty good and generic development CSP. This one is setup to use some google code (like google maps) and you’ll have to edit it and change “yourdomain” to whatever your domain is.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' filesystem: gap: https://*.yourdomain.com/ https://maps.googleapis.com/; style-src 'self' 'unsafe-inline' https://*.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://maps.googleapis.com/; img-src 'self' data: https://*.gstatic.com/ https://*.googleapis.com/; connect-src 'self' https://*.yourdomain.com/ ws://localhost:*; media-src 'self';">
As I mentioned before, on the server side, your scripts need to provide the correct response in the header. For ease I’m including a small .php file that I use to simply return the latest version of my app (for when I or a user checks for upgrades).
As before, you’ll need to change yourdomain.com to your domain. In this case I pass in an appid string as Mob1.0 but you can make this anything you want.
<?php
// latest version
$version = "1.0";
// send the content back
header('Access-Control-Allow-Origin: https://www.yourdomain.com');
header('Content-type: application/json');
// see if whomever is calling is authorized to do so
// in the future this will allow us to support different versions
switch( $_POST['appid'] )
{
case "Mob1.0":
$options = Array('status' => "OK", 'version' => $version);
break;
default:
// return a failed status to the page
$options = Array('status' => "FAILED", 'text' => "Unauthorized Access Attempt: " .$_POST['appid']);
}
// return the results to the client
$output = json_encode($options);
// error_log($output);
echo "$output"; // send it to the browser
?>
Lastly, I make the call using the following jquery ajax:
function checkVersion()
{
// serviceURL is defined as:
// var serviceURL = "https://www.yourdomain.com/mobile/";
$.ajax({
type: 'POST',
url: serviceURL + 'serGetVersion.php',
data: "appid=Mob1.0",
datatype: 'json',
timeout: 5000,
cache: false,
beforeSend: function() {
//Show spinner
$.mobile.loading('show');
}
}).done(function(data, textStatus, jqXHR) {
if(data.status == "OK")
{
latestVersion = data.version;
}
}).fail(function(xhr, textStatus, error) {
ajaxError(xhr, textStatus, error, 1041);
}).always(function(jqXHR, textStatus) {
$.mobile.loading('hide');
});
}