-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy gets replaced when it contains line breaks #182
Comments
Hi @light, This is currently how the CSP injection has been designed. Some additions to the CSP are required to allow the served app to work in the Developer App. We are aware that it can be a little frail due to the regex and are working on some potential new solutions to this issue. Sorry for any inconvenience in the meantime. |
Hi @light Yes, as @surajpindoria said, the csp for some apps needs to be replaced in order for critical features of the dev app to work. However, I have updated the regex to be more forgiving with the help of @mwbrooks . In addition, the changes to the regex should help some with some bugs regarding the csp. |
Shouldn't the header be left alone when there is no CSP to begin with ? As of now a CSP tags gets injected with more stringent constraints on origins, for example if there is no img-src it will add one for |
Sounds like there is still an open question / issue here, right @timkim @surajpindoria ? We are injecting more CSP where we probably shouldn't? Any clarification on path forward to resolve this issue here? |
Yes, we do the CSP injection by first finding a particular string and then replacing from there. Someone else recently brought up the case where they had removed script type from the tag and it wasn't working properly either. We need to come up with a better solution. |
phonegap version 6.3.5
The phonegap cli tool adds its own values to the CSP tag when streaming to the phonegap mobile app, however when there are line breaks in the source tag it does not modify it but overrides it instead. It seems due to a regexp in https://github.com/phonegap/connect-phonegap/blob/0.24.0/lib/util/injector-transform.js which checks for a single line only.
The text was updated successfully, but these errors were encountered: