You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
144
+
The [**Content Security Policy (CSP)**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)`<meta>` tag is a very powerful mechanism that allows you to control trusted sources of content. You can restrict various content types and domains from which content can be loaded from. Unsafe and risky HTML and JavaScript can also be disabled to further increase the security of your app.
145
+
146
+
The CSP `<meta>` tag should be placed in your app's index.html file.
145
147
146
148
On Android and iOS, the network request allow list (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the allow list, you should use a [Content Security Policy](http://content-security-policy.com/)`<meta>` tag on all of your pages.
147
149
150
+
> **Note**: If your app has multiple HTML files and navigates between them using the browser's navigation features, you should include the CSP in each file. If your app is a single-page application, you only need to include the CSP on `index.html`.
As a fallback, all other network requests are restricted to:
169
+
170
+
* The same origin as the app itself (`'self'`).
171
+
* Resources loaded via `data:` URIs.
172
+
* Resources from the specified external domain `https://ssl.gstatic.com`.
173
+
* JavaScript methods such as `eval()` (and similar) are permitted with `'unsafe-eval'`.
174
+
175
+
**Style Source (`style-src`):**
176
+
177
+
* Styles can only be loaded from the same origin (`'self'`).
178
+
* Inline styles (`'unsafe-inline'`) are also allowed, meaning styles can be directly applied using the `style` attribute on elements or within `<style>` tags.
179
+
180
+
**Media Source (`media-src`):**
181
+
182
+
* Media can be loaded from any source.
183
+
184
+
**Image Source (`img-src`):**
185
+
186
+
* Images can only be loaded from the same origin (`'self'`).
187
+
* Allows loading images from `data:` URIs.
188
+
* Allows loading images from `content:` URIs, typically used within the Android ecosystem.
189
+
190
+
### Example Content Security Policy Declarations
191
+
148
192
Here are some example CSP declarations for your `.html` pages:
149
193
150
194
```html
@@ -159,7 +203,7 @@ Here are some example CSP declarations for your `.html` pages:
159
203
<!-- Allow everything but only from the same origin and foo.com -->
You should fully understand the CSP tag and the various directives that can be specified. More documentation is available at [Content Security Policy](https://web.dev/articles/csp) (via Google Developers) and Mozilla's [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) article.
220
+
221
+
> **Tip**: If you're using web sockets, include `ws:` (`wss:` if using SSL) in the `connect-src` directive.
222
+
223
+
### Debugging Content Security Policy
224
+
225
+
When adding a CSP to your app, it's likely you'll encounter some issues. Fortunately, both Google Chrome's Developer Tools and Safari's Web Inspector make it very clear when a CSP violation occurs. Watch the console for any violation messages, which are typically quite detailed, specifying exactly which resource was blocked and why. Address each violation as they appear to ensure your CSP is properly configured.
226
+
175
227
## Other Notes
176
228
177
229
[Application Transport Security (ATS)](https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33) is new in iOS 9 (Xcode 7). This new feature acts as an allow list for your app. Cordova CLI will automatically convert the `<access>` and `<allow-navigation>` tags to the appropriate ATS directives.
0 commit comments