You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Michael Schmidt (JIRA)" <ji...@apache.org> on 2017/04/18 13:45:41 UTC

[jira] [Created] (CB-12669) cordova.js contains inline script on windows - CSP violation, potentially insecure

Michael Schmidt created CB-12669:
------------------------------------

             Summary: cordova.js contains inline script on windows - CSP violation, potentially insecure
                 Key: CB-12669
                 URL: https://issues.apache.org/jira/browse/CB-12669
             Project: Apache Cordova
          Issue Type: Bug
          Components: Windows
         Environment: cordova: 6.5.0
cordova-windows: 4.4.3
cordova-android 6.1.2
cordova-ios 4.3.1
            Reporter: Michael Schmidt


Including the cordova script seems to cause a CSP violation on windows:

with 
{code}
  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval';">
  <script src="cordova.js"></script>
{code}

the following error message appears:
{code}
CSP14312: Resource violated directive 'script-src 'self' 'unsafe-eval'' in <meta http-equiv="Content-Security-Policy">: inline script. Resource will be blocked.
{code}

this message disappears on commenting the cordova.js script tag out

The same source code works on the other platform iOS & Android without a problem, i.e. the cordova.js seems to have problematic windows-specific code.

For security reasons we don't want to add the "unsafe-inline" flag to the csp.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org