Open light opened 7 years ago
surajpindoria
commented
7 years ago Hi @light,
This is currently how the CSP injection has been designed. Some additions to the CSP are required to allow the served app to work in the Developer App. We are aware that it can be a little frail due to the regex and are working on some potential new solutions to this issue. Sorry for any inconvenience in the meantime.
timkim
commented
7 years ago Hi @light
Yes, as @surajpindoria said, the csp for some apps needs to be replaced in order for critical features of the dev app to work. However, I have updated the regex to be more forgiving with the help of @mwbrooks . In addition, the changes to the regex should help some with some bugs regarding the csp.
light
commented
7 years ago Shouldn't the header be left alone when there is no CSP to begin with ? As of now a CSP tags gets injected with more stringent constraints on origins, for example if there is no img-src it will add one for 'self', data: and content:, but not * so loading of remote images will fail.
filmaj
commented
7 years ago Sounds like there is still an open question / issue here, right @timkim @surajpindoria ? We are injecting more CSP where we probably shouldn't? Any clarification on path forward to resolve this issue here?
surajpindoria
commented
7 years ago Yes, we do the CSP injection by first finding a particular string and then replacing from there.
<script type=\"text/javascript\" src=\"cordova.js\"></script>
Someone else recently brought up the case where they had removed script type from the tag and it wasn't working properly either. We need to come up with a better solution.
phonegap version 6.3.5
The phonegap cli tool adds its own values to the CSP tag when streaming to the phonegap mobile app, however when there are line breaks in the source tag it does not modify it but overrides it instead. It seems due to a regexp in https://github.com/phonegap/connect-phonegap/blob/0.24.0/lib/util/injector-transform.js which checks for a single line only.