whitelist plugin clarifications

  • 1
  • Question
  • Updated 5 years ago
Hi;
so I would like to port to NPM and thus I need to use the whitelist plugin.
my app is a hybrid app which makes resource (xhr,img) requests to x.com,y.com and also uses js to sometimes set window.location to x.com/someresource
I currently use the * wildcard as follows in my config.xml:
allow-navigation href="*"
allow-intent href="*"
access origin="*"
this configuration make the app work fine. my questions are as follows:
1. I did not add to my index.html anything related to meta http-equiv="Content-Security-Policy" and everything still works. so what exactly does CSP do? and when should I used it?
2. which attribute should I add then setting window.location via JS? navigation/intent/origin? some? all?
thanks
Photo of gkatz

gkatz

  • 186 Posts
  • 5 Reply Likes

Posted 5 years ago

  • 1
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
Read everything about CSP here:
http://content-security-policy.com/
Photo of gkatz

gkatz

  • 186 Posts
  • 5 Reply Likes
thanks.
I just want to make sure its not mandated...
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
CSP is not required. It can be useful, though
Photo of gkatz

gkatz

  • 186 Posts
  • 5 Reply Likes
what about my second question?
should I put both allow-navigation and allow-intent on x.com?
or did I misunderstood
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
allow-navigation controls navigation within the webview. allow-intent allows android intents (which you apparently don't use).

Nicely documented, for instance with the whitelisting plugin:
https://github.com/apache/cordova-plu...
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
@gkatz,
I'm working on a blog post for whitelist and CSP.
It is both confusing and frustrating.
I've got raw notes on this.

One of the best articles I've found so far is from Raymond Camden

Raymond Camden, posted some relevent information on this
I began to check on this and look at the different permutations.

If you do not include the plugin and do not include the CSP, you have no access to anything.

If you do not include the plugin and do include the CSP, you have no access to anything.

If you include the plugin and a CSP, you have access to what CSP gives you access to.

If you include the plugin and do not include a CSP, your access falls back to the access tag in config.xml, which is probably * (i.e. everything allowed).


Simon Mac Donald adds about CSP and the mysterious gap: listed in the CSP:

The "gap:" is used as a protocol like "http:" for the iOS side to communicate from JS to native. Basically when Cordova iOS sees "gap:" it intercepts the request and uses it to do the bridging of the two layers. At least that is my understanding of it but it's been awhile since I dove into that area.


I hope to have my raw notes into something useful next week, maybe Monday.
Best of Luck
Photo of gkatz

gkatz

  • 186 Posts
  • 5 Reply Likes
that explains what I an encountered... :)
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
Didn't you get a Javascript warning about adding the CSP meta? I did, but I didn't use allow-intent in config.xml.
Photo of JesseMonroy650 (Volunteer)

JesseMonroy650 (Volunteer), Champion

  • 3325 Posts
  • 122 Reply Likes
ARGG.. yep this is the frustrating part. See Raymond Camden's blog post, or the quote I have above. I wish it was that clear, but there are corner cases where none-of-the-above makes the most sense.

Best of Luck
Jesse
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
I use the following:

<access origin="*" />
<allow-navigation href="*" />

and

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'">

Is allow-intent critical?
(Edited)
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
Just chrome://inspect
Photo of gkatz

gkatz

  • 186 Posts
  • 5 Reply Likes
oh, you mean usb debugging?
I wonder if this warning will turn out to be something more restrictive in future webview versions... this could affect apps that choose not to use csp
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
Yes.

I use chrome://inspect (and Safari's similar function) and ddms (monitor) for debugging. Some day I will learn how to debug via PGB :).

By the way, does Hydration work? Usually it's just shown "HI" and nothing more, so I've stayed away from it.
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
I use Weinre now, and the way I have the app set up generates no warnings.
Photo of Anders Borg

Anders Borg

  • 329 Posts
  • 12 Reply Likes
Hydration works fine. Ignore the question.