0

I am working with a hybrid-cordova application in iOS, in the latest version of cordova is adding this line to the headtag

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

and when I am building in the simulator or device is returning this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

This error appears when is the moment of the interaction with the server, blocking the ajax requests.

What am I doing wrong? please help!!!

inane
  • 626
  • 10
  • 26
  • http://stackoverflow.com/questions/30172654/cordova-content-security-policy –  Feb 11 '16 at 10:35
  • I have uninstalled "white-list" plugin but it doesn´t work.. any more specific steps to follow?? – inane Feb 11 '16 at 11:44

1 Answers1

0

The error message is telling you that your current content security policy prohibits requests to the domain you're making the request to, as you haven't specified that it is allowed to do so. Include this in the CSP tag:-

script-src https://yourajaxdomainhere

So it becomes

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src https://yourajaxdomainhere; media-src *">

Also ensure the domain you're sending requests to is added as an allowed origin in your config.xml file.

<access origin="https://yourajaxdomainhere" />

More information on content security policy is here

JOC
  • 56
  • 4