Content Security Policy with Apple App Test, ionic and pouchDB

Question

We use ionic and pouchDB (Couch DB) in iOS, WinPho, Android. All work fine apart from in Apple App Store Test where we see server logs for the api calls, but not for the couch calls. So

    https://api.example.com connects OK
    https://couch.example.com doesn't connect

It started with iOS 10. We adjusted the CSP, it worked. Now it's stopped working again. Here's the CSP:

<meta http-equiv="Content-Security-Policy" 
       content="default-src 'self' * blob: gap://ready file://*;
       style-src 'self' 'unsafe-inline';
       script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
       media-src *"/>

What we really don't understand is why it works fine everywhere except in Apple's test lab (in Cupertino). The Apple Docs point to CSP2.0 on W3C (link below) but it is not clear how exactly these are followed, for instance, some say that the '*' policy isn't followed for all directives. https://developer.apple.com/library/content/releasenotes/General/WhatsNewInSafari/Articles/Safari_10_0.html

score 0 · Answer 1 · edited May 23 '17 at 12:00

So, turns out it was a timing issue caused by a race condition between two pieces of code. The network connection time in Cupertino was in a window that could only be reproduced using the Apple Network Link Conditioner.

One piece of code in a Javascript promise was trying to start a session before the credentials had been entered, then knocking out the session created by the other dialog.

Content Security Policy with Apple App Test, ionic and pouchDB

1 Answers1