1

I'm creating android application in Cordova witch consume a REST service using AngularJs, I test this application first on browser by this URL file:///C:/Users/Users/MyApps/project/platforms/android/assets/www/index.html#/demande/list but that stil give this Error :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://10.0.2.2:8080/springrestprojet/rest/demande. Reason: CORS request failed.

I'm sing CORS filter for enabling access. this is my code of service.js :

'use strict';

  angular.module('workflowService', ['ngResource']).
    factory('Demande', function ($resource) {
          return $resource('http://10.0.2.2:8080\:8080/springrestprojet/rest/demande/:id', {}, {
            'save': {method:'PUT', 
                headers: {'Content-Type': 'application/json', 
   'Access-Control-Allow-Origin':'*',
   'Access-Control-Allow-Methods' : 'POST, GET, OPTIONS, PUT',
   'Access-Control-Request-Method':'*',
   'Access-Control-Allow-Headers':'*',
   'Accept': 'application/json'}},


        });


    });

Any help please ? Thanks a lot.

sad
  • 49
  • 1
  • 13

2 Answers2

0

Since a few months, the access origin="*" is not enough.

Try to install this plugin sudo cordova plugin add https://github.com/apache/cordova-plugin-whitelist

And then, in your config.xml add a line like that one

<allow-navigation href="*" />

The * isn't recommended, but it'll work for everything. You can specify the path like this http://yourWebSite.com/*

Guillaume Munsch
  • 1,233
  • 17
  • 37
  • Thanks for yor proposition but, I have Plugin "cordova-plugin-whitelist" already installed on android. also I did in my config.xml and I still have the same error! – sad Jul 02 '15 at 12:11
  • How are you testing this ? D'you have any phone or emulator to test it on ? – Guillaume Munsch Jul 02 '15 at 13:01
  • yes, I run this on genymotion emulator, that shows me views I can navigate between them, but they don't contain rest data, so I try from browser just that I can see error – sad Jul 02 '15 at 13:20
  • also when I have the same project in web format, and I run it on the localhost it works fine. but I'm interssting by the mobile project. – sad Jul 02 '15 at 13:24
  • What happened to me once, is that the emulator didn't had a connection to the internet. It wasn't shared with my computer. Check this out too ! – Guillaume Munsch Jul 02 '15 at 14:27
  • I checked that, my emulator has a wifi connection, – sad Jul 02 '15 at 14:36
-1

I suspect that in latest versions the plugin cordova-plugin-whitelist requires to configure the meta http-equiv="Content-Security-Policy" in each html file of your project.

With first version it only displayed warnings, but considering several questions seen here, maybe the behaviour has changed...

So you have two solutions :

  • remove the plugin cordova-plugin-whitelist and add instead cordova-plugin-legacy-whitelist then cordova will behave like with cordova 3.x where only access origin was checked (not recommended regarding security)
  • or you learn about Content-Security-Policy, for example by reading this page and update your htmls.

More info on Raymond Camden's blog or in the plugin's documentation.

Edit: now I remember, it's not that it changed in latest version it's that content security policy is checked on android starting with Kit-Kat, so a same app with cordova-plugin-whitelist and no CSP configured would work in android < 4.4 and fail in 4.4+.

So note to all cordova/phonegap developers, test your CSP code in kitkat or lolypop or you may have bad surprises!

QuickFix
  • 11,661
  • 2
  • 38
  • 50
  • CSP does not allow something the app can't provide. It is just filtering what is already provided. – Asqan Sep 10 '15 at 10:55
  • Sorry, but really don't get the purpose of this comment... The fact is that with recent version of cordova+recent version of android, if you don't configure CSP you cant make cross origin requests. Where did you read I suggested configuring csp would allow something the app can't provide??? – QuickFix Sep 14 '15 at 08:28
  • you can read http://www.raymondcamden.com/2015/05/25/important-information-about-cordova-5 and http://stackoverflow.com/questions/12924717/does-content-security-policys-connect-src-directive-allow-you-to-make-cross-dom – Asqan Sep 14 '15 at 08:37
  • are you aware that the link you provided has been in my comment ? and I still see no link with your comment... – QuickFix Sep 14 '15 at 10:15
  • this is from the link you provided in your answer: `If you include the plugin and do not include a CSP, your access falls back to the access tag in config.xml, which is probably * (i.e. everything allowed).` Thus, no CSP -> everything is already allowed (by default, according to privileges of your config.xml). Further use of CSP can not change something which is not provided in config.xml. The same is also said in the question i've sended the link in my previous comment. – Asqan Sep 14 '15 at 10:33
  • I never wrote that CSP would allow access to something that would be disabled in config.xml. What I said is that if you do not configure CSP and use cordova-plugin-whitelist on an OS that supports CSP (like android >=4.4) then things like CORS will be blocked because of the default CSP directives. I see the sentence you're refering to in Ray's article, but that's not what I've seen on android. – QuickFix Sep 14 '15 at 14:45