Closed illegalprime closed 8 years ago
Off the top of my head no. I haven't dug into CSP enough to know if you this could be locked down to just allow the app to inject.
If you go ahead and modify your CSP let me know what you end up with. I'll get something in the README on the topic.
^ This is what I came up with, what do you think?
After digging around a bit I think I'm ok with the change but I need to do some testing before I merge it. In short, your update works because you have 'unsafe-inline'
already in your CSP which is required to load the javascript:
URL. The issue you ran into was I was loading the script via a data URL which is prevented unless the CSP specifies data:
(which Mozilla highly discourages).
Thanks for the fix! If all goes well with my testing I'll merge it in the next day or two.
Great info, thanks for your quick responses!
@illegalprime is it impossible to update your CSP?
What you'd need is:
script-src 'self' data:;
The default index.html generated by cordova contains something similar but actually opens up to all data URLs for the current site (the plugin works out of the box with it):
default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; ...
The innerHTML change isn't awful but it feels dirty. I'd rather be explicit about how the library gets injected and also not have it stop working one day because the innerHTML hole got plugged by some browser update.
Sorry for waffling so much on this but I'd rather leave things as is and update the documentation to more clearly state the injection requirements.
I've updated the README. Thanks for the report and forcing me to learn a little bit. ;) If we find it to be a more serious issue I'm fine revisiting but I'd prefer the site owner to update their CSP.
When plugin attempts to load the Cordova files, I receive an error:
Is there a way to load the cordova apis without changing my csp?