Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security Policy gets replaced when it contains line breaks #182

Open
light opened this issue Nov 14, 2016 · 5 comments
Open

Content Security Policy gets replaced when it contains line breaks #182

light opened this issue Nov 14, 2016 · 5 comments

Comments

@light
Copy link

light commented Nov 14, 2016

phonegap version 6.3.5

The phonegap cli tool adds its own values to the CSP tag when streaming to the phonegap mobile app, however when there are line breaks in the source tag it does not modify it but overrides it instead. It seems due to a regexp in https://github.com/phonegap/connect-phonegap/blob/0.24.0/lib/util/injector-transform.js which checks for a single line only.

@surajpindoria
Copy link
Collaborator

Hi @light,

This is currently how the CSP injection has been designed. Some additions to the CSP are required to allow the served app to work in the Developer App. We are aware that it can be a little frail due to the regex and are working on some potential new solutions to this issue. Sorry for any inconvenience in the meantime.

@timkim
Copy link
Contributor

timkim commented Nov 15, 2016

Hi @light

Yes, as @surajpindoria said, the csp for some apps needs to be replaced in order for critical features of the dev app to work. However, I have updated the regex to be more forgiving with the help of @mwbrooks . In addition, the changes to the regex should help some with some bugs regarding the csp.

timkim added a commit that referenced this issue Nov 16, 2016
@light
Copy link
Author

light commented Nov 16, 2016

Shouldn't the header be left alone when there is no CSP to begin with ? As of now a CSP tags gets injected with more stringent constraints on origins, for example if there is no img-src it will add one for 'self', data: and content:, but not * so loading of remote images will fail.

@filmaj
Copy link
Collaborator

filmaj commented Apr 24, 2017

Sounds like there is still an open question / issue here, right @timkim @surajpindoria ? We are injecting more CSP where we probably shouldn't? Any clarification on path forward to resolve this issue here?

@surajpindoria
Copy link
Collaborator

Yes, we do the CSP injection by first finding a particular string and then replacing from there.
<script type=\"text/javascript\" src=\"cordova.js\"></script>

Someone else recently brought up the case where they had removed script type from the tag and it wasn't working properly either. We need to come up with a better solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants