251

Apache Cordova App allow external scripts

Question:

I am currently building an apache cordova mobile app through visual studio and have run into the problem of trying to run widgets through external scripts in my app. These scripts run fine in the browser simulator but once I try to run them on an apple device, the scripts do not load. I have researched into this problem and found that it usually has something to do with the content security policy, which I have attached below to help figure out the problem.

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; img-src 'self' * 'unsafe-inline' 'unsafe-eval'" />

What else could possibly be the problem as to why these widgets are not loading in my app? These are the scripts I am attempting to load inside of my app for your reference as well.

<script type="text/javascript" src="https://rf.revolvermaps.com/0/0/8.js?i=5tfq2n8w5rc&amp;m=0c&amp;c=cbb677&amp;cr1=ffffff&amp;f=calibri&amp;l=0&amp;cw=ffffff&amp;cb=450084" async="async"></script> <script type="text/javascript" src="https://rf.revolvermaps.com/0/0/0.js?i=5gbey55pbu3&amp;d=2&amp;p=1&amp;b=1&amp;w=293&amp;g=1&amp;f=calibri&amp;fs=12&amp;r=0&amp;c0=362b05&amp;c1=450084&amp;c2=000000&amp;ic0=0&amp;ic1=0" async="async"></script>

Answer1:

Have you a whitelist for online ressources?

A better approach would be to embed these ressources. Loading online scripts is really insecure. The server could send js, and get acces to you device through the cordova api.

<a href="https://cordova.apache.org/docs/de/latest/guide/appdev/whitelist/" rel="nofollow">https://cordova.apache.org/docs/de/latest/guide/appdev/whitelist/</a>

Answer2:

Your src and href from the script and link tags should have an scheme (http or https), otherwise, when Cordova finds //, it will use it's default scheme, file:.

Add http: or https: to all your script and link tags and then it should work.

Example:

<script type="text/javascript" src="http://rf.revolvermaps.com/0/0/8.js?i=5tfq2n8w5rc&amp;m=0c&amp;c=cbb677&amp;cr1=ffffff&amp;f=calibri&amp;l=0&amp;cw=ffffff&amp;cb=450084" async="async"></script>

Recommend

  • How to programmatically detect if a bitmap has alpha channel?
  • How can I accept “unsafe” HTTP response headers in a Windows Phone/Store app?
  • Content Security Policy Internet explorer error
  • Bundled scripts not working MVC
  • Extracting Remote endpoint Object from Spring websocket session
  • css Star-rating html
  • What are the use cases of dlopen vs standard dynamic linking?
  • CFNetwork SSLHandshake failed (-9806) & (-9800) & (-9830)
  • Accessing Windows Azure Queues from client side javascript/jquery
  • Linux over commit heuristic
  • How to align an image side by side with a heading element?
  • jinja2 template not found and internal server error
  • How secure are apple APNS push notifications?
  • Why does the font in these TD elements render at different sizes?
  • HttpListener.IsSupported is false on XP SP3
  • Enabling DTD support in Sql Server
  • GAE: Way to get reference to an HttpSession from its ID?
  • Does Mobilefirst provide a provision to access web services directly?
  • How to view images from protected folder with php?
  • Display images in Django
  • Custom validator control occupying space even though display set to dynamic
  • How do I alternate colors in Flat List (React Native)
  • Listbox within Listbox and scrolling trouble in Windows Phone 7 Silverlight
  • Jquery UI tool tip close icon
  • Why HTML5 Canvas with a larger size stretch a drawn line?
  • Spray.io: When (not) to use non-blocking route handling?
  • Resize panoramic image to fixed size
  • Modifying destination and filename of gulp-svg-sprite
  • Importing jscolor library in angular 2
  • jquery mobile loadPage not working
  • GridView Sorting works once only
  • Unanticipated behavior
  • bootstrap to use multiple ng-app
  • How to get icons for entities from eclipse?
  • Turn off referential integrity in Derby? is it possible?
  • JaxB to read class hierarchy
  • costura.fody for a dll that references another dll
  • Observable and ngFor in Angular 2
  • UserPrincipal.Current returns apppool on IIS
  • java string with new operator and a literal