search

j3k0 / cordova-plugin-purchase

In-App Purchase for Cordova on iOS, Android and Windows
https://purchase.cordova.fovea.cc
1.29k stars 529 forks source link

Incomplete Content-Security-Policy example #1503

Open danieldanielecki opened 5 months ago

danieldanielecki commented 5 months ago

Observed behavior

The example is pointing to use CSP as: <meta http-equiv="Content-Security-Policy" content="default-src 'self' https: http://localhost:3000 https://*.iaptic.com 'unsafe-eval' 'unsafe-inline' gap: app: *; style-src 'self' 'unsafe-inline'; media-src *">

Expected behavior

However, without img-src * 'self' data: blob: images in our apps/games will not work returning Refused to load the image 'data:image/png;base64,abcd123...==' because it violates the following Content Security Policy directive: "default-src 'self' https: http://localhost:3000 https://*.iaptic.com 'unsafe-eval' 'unsafe-inline' gap: app: *". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matchesself's scheme. The scheme 'data:' must be added explicitly.

Therefore, I'm on the opinion the docs should refer to the CSP like this: <meta http-equiv="Content-Security-Policy" content="default-src 'self' https: http://localhost:3000 https://*.iaptic.com 'unsafe-eval' 'unsafe-inline' gap: app: *; style-src 'self' 'unsafe-inline'; media-src *; img-src * 'self' data: blob:">