TruckMovers / cordova-plugin-remote-injection

DEPRECATED: Cordova plugin to allow a remote site to interact with cordova's javascript APIs when loaded within a cordova app.
Apache License 2.0
91 stars 95 forks source link

Content Security Policy violation #6

Closed illegalprime closed 8 years ago

illegalprime commented 8 years ago

When plugin attempts to load the Cordova files, I receive an error:

Refused to load the script
'data:text/javascript;base64,Ly8gUGxhdGZvcm06IGFuZHJvaWQKLy8gYzUxN2NhODExYjQ…'
because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://…"

Is there a way to load the cordova apis without changing my csp?

bradleyjames commented 8 years ago

Off the top of my head no. I haven't dug into CSP enough to know if you this could be locked down to just allow the app to inject.

If you go ahead and modify your CSP let me know what you end up with. I'll get something in the README on the topic.

illegalprime commented 8 years ago

^ This is what I came up with, what do you think?

bradleyjames commented 8 years ago

After digging around a bit I think I'm ok with the change but I need to do some testing before I merge it. In short, your update works because you have 'unsafe-inline' already in your CSP which is required to load the javascript: URL. The issue you ran into was I was loading the script via a data URL which is prevented unless the CSP specifies data: (which Mozilla highly discourages).

Thanks for the fix! If all goes well with my testing I'll merge it in the next day or two.

illegalprime commented 8 years ago

Great info, thanks for your quick responses!

bradleyjames commented 8 years ago

@illegalprime is it impossible to update your CSP?

What you'd need is:

script-src 'self' data:;

The default index.html generated by cordova contains something similar but actually opens up to all data URLs for the current site (the plugin works out of the box with it):

default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; ...

The innerHTML change isn't awful but it feels dirty. I'd rather be explicit about how the library gets injected and also not have it stop working one day because the innerHTML hole got plugged by some browser update.

Sorry for waffling so much on this but I'd rather leave things as is and update the documentation to more clearly state the injection requirements.

bradleyjames commented 8 years ago

I've updated the README. Thanks for the report and forcing me to learn a little bit. ;) If we find it to be a more serious issue I'm fine revisiting but I'd prefer the site owner to update their CSP.