3

I have an existing open source messaging web application on Firefox/Chrome/Android Webview which has been broken by recent CSP 3 security changes.

It can be avoided on Firefox/Chrome by tweaking about:config security.fileuri.strict_origin_policy to false from default. However, I just noticed that Android 9 Webview apparently force this same behaviour making the Android application useless as it cannot load the Webworker networking part.

The application is split to UI and Webworker part where Webworker handles network traffic. All files are local js-files and new Webworker is loaded by main UI with relative file path. It loads other scripts with "importScripts". Everything has been working fine, the design is easy to maintain and the great thing is that application is fully local without the need to load anything over network (except the actual messages of course).

With recent browser version updates there has been a problem, though. Apparently new CSP security things force to not allow by default loading local Webworker scripts.

I tried to enable different CSP3 webworker-src options without success. Now I am afraid there isn't one available.

It would be enough that a relative file access to the scripts would be allowed with Webworker with CSP.

It looks like this now:

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src * 'unsafe-inline'; media-src *; img-src 'self' data:; connect-src ws://*;" />

Webworker is loaded this way:

var webWorker = new Worker('mles-webworker/js/webworker.js');

And it loads the following script internally:

importScripts('cbor.js');

The problem is apparently essentially the same as described in Chrome can't load web worker except this has been now extended to Android Webview.

Maybe there is a CSP that I just cannot figure out? Something that allows locally open file at relative location to the main file.

It may be that I could just move the Webworker to be loaded from the server, but that is not a real solution as it is not maintainable really. Anything else I could try? Thanks!

jq-rs
  • 79
  • 1
  • 7

1 Answers1

1

In the end the problem was not in CSP. It was that Android 9 or greater needs specific android:usesCleartextTraffic="true" setting if WebSocket connection is run without TLS.

Moreover, the fileuri access can be enabled with Android WebView WebSettings. It was done by Cordova by default.

jq-rs
  • 79
  • 1
  • 7
  • was that the only setting you had to change? I already have that setting in my `config.xml` but I still see the problem. Also, what webview plugin and version are you using? I am using the [ionic webview plugin](https://github.com/ionic-team/cordova-plugin-ionic-webview) and I noticed that I don't have any CSP problems with workers when I'm on version 2.5.1. When I migrate to 4.x, the problem begins. – Uche Ozoemena May 05 '20 at 10:57