search

MobileChromeApps / mobile-chrome-apps

Chrome apps on Android and iOS
BSD 3-Clause "New" or "Revised" License
2.5k stars 347 forks source link

CSP error with CCA 0.7.1 when processMessage #584

Closed jmorille closed 9 years ago

jmorille commented 9 years ago

With NFC message consuming with the plugins

  <plugin name="com.chariotsolutions.nfc.plugin" spec="^0.6.2"/>

An error was raised by the cca (or cordova) framework with csp violation

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src file: data: chrome-extension: https://ssl.gstatic.com".
processMessage @ cordova.js:1070
processMessages @ cordova.js:1104
pollOnce @ cordova.js:973
pollOnceFromOnlineEvent

That was raised by the method

  // This is deprecated on the .java side. It doesn't work with CSP enabled.
    eval(message.slice(1));

of the corresponding function of cordova.js:1066

// Processes a single message, as encoded by NativeToJsMessageQueue.java.
function processMessage(message) {
    var firstChar = message.charAt(0);
    if (firstChar == 'J') {
        // This is deprecated on the .java side. It doesn't work with CSP enabled.
        eval(message.slice(1));
    } else if (firstChar == 'S' || firstChar == 'F') {
        var success = firstChar == 'S';
        var keepCallback = message.charAt(1) == '1';
        var spaceIdx = message.indexOf(' ', 2);
        var status = +message.slice(2, spaceIdx);
        var nextSpaceIdx = message.indexOf(' ', spaceIdx + 1);
        var callbackId = message.slice(spaceIdx + 1, nextSpaceIdx);
        var payloadMessage = message.slice(nextSpaceIdx + 1);
        var payload = [];
        buildPayload(payload, payloadMessage);
        cordova.callbackFromNative(callbackId, success, status, payload, keepCallback);
    } else {
        console.log("processMessage failed: invalid message: " + JSON.stringify(message));
    }
}
jmorille commented 9 years ago

The corresponding isssue is open in cordova-android project https://issues.apache.org/jira/browse/CB-9277

agrieve commented 9 years ago

I would consider this a bug in the plugin (worth opening an issue there).

Without fixing the plugin, you can work around it by lowering your app's CSP to allow unsafe-eval. See cspUnsafeEval in manifest.mobile.json: https://github.com/MobileChromeApps/mobile-chrome-apps/blob/master/docs/NextSteps.md

jmorille commented 9 years ago

Thank for the workaround, it is working.

This is not a bug of the plugins but a bug of cordova (cf for detail https://issues.apache.org/jira/browse/CB-9277). This bug is more in relation with the internal message system in cordova, that could means that could have an impact on many other plugins that could use this message processing.

In consequence, it is why I have also open this bug in cca to update as soon as possible the cordova dependency and to keep an eye with this ticket

jmorille commented 9 years ago

You have write, It is a plugins problem because they use deprecated Apis. https://github.com/chariotsolutions/phonegap-nfc/issues/196