EDIT: I posted this question on my GitHub: https://github.com/OnsenUI/OnsenUI/issues/936
EDIT 2: Take care of this;)
(Sorry for my English, this is not my native language;))
This is my first stackoverflow question. At the moment, I always found that someone else had the same problem as mine, and got an answer.
But this time I canβt find a solution, so either I am the first or I have missed something.
I am developing an application for Windows Phone and Android (at the moment) using cordova, onsenui (so angular) and jQuery (I think I do not think this last one causes problems here).
I decided that I would start using CSP correctly to get a more secure application.
I added <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://foo.com> on the index.html page, for starters. I found that angular does a lot of unsafe things , and I found out about the ngCsp directive.
So now I have:
<html ng-app="app" ng-csp> <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://foo.com> <script src="lib/onsen-1.3.10/js/angular/angular.js"></script> <script src="lib/onsen-1.3.10/js/onsenui.js"></script> ... </html>
I no longer get CSP errors regarding angular.js, but I keep getting some of them for onsenui.js (insecure-inline and insecure-evals). For know, the only solution I found is:
- to allow insecure-embedded in CSP
- to order a single line in onsenui.js that causes unsafe-eval:
In onsenui.js, I replaced the line 4888:
}(new Function("return this")()));
:
}(function() {return this;}()));
So my question is: am I the only one who has this problem? Does anyone here use cordova, onsenui and CSP without any problems? I would prefer not to put unsafe-eval in the CSP metadata, and I would like to remove insecure-inline.
Sorry for this long post and thanks for your help !;)