I'm bulding an app with cordova. I'm using phonegap serve to load the app with phonegap developer app.
In index.html:
<meta http-equiv="Content-Security-Policy" content="default-src gap: file: tel: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
(I've also tried without file: tel:, result is the same)
I can verify that this is prepared correctly in platforms/browser/www/index.html
Then I open phonegap app in iPad, I run phonegap serve, I open Safari development tools, press connect and there it is:
Refused to load gap://ready because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
In index.html I can see that the directive has been transformed to:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'">
Is there a way to make ipad to load the directive correctly?
EDIT
I've also tried to compile phonegap app developer with CSP directive in index.html, result is the same
EDIT - 1
I've also downloaded the zip file from http://192.168.1.130:3200/__api__/appzip (this is where I have my phonegap serve server) and index.html is already transformed!
The strange here is that platforms/browser/www/index.html is not transformed, so there is some process in-between that is transforming the CSP.
In my config.xml I've this directives:
<content src="index.html" />
<access origin="*" />
<access origin="cdvfile://*" />
<access launch-external="yes" origin="tel:*" />
<!-- Allowed WebView navigations -->
<allow-navigation href="http://*"/>
<allow-navigation href="https://*"/>
<allow-navigation href="http://*/*"/>
<allow-navigation href="https://*/*"/>
<allow-navigation href="data:*"/>
<allow-navigation href="about:*"/>
<allow-navigation href="tel:*"/>
<allow-navigation href="gap:*" />
<!-- Allowed URLs to be opened from the app -->
<allow-intent href="http://*"/>
<allow-intent href="https://*"/>
<allow-intent href="http://*/*"/>
<allow-intent href="https://*/*"/>
<allow-intent href="geo:*"/>
<allow-intent href="cdvfile://*" />
It was related to this issue: https://github.com/creationix/nvm/issues/1361
Mainly, bash was detecting that v6.4.2 and pointing to it (
which phonegapwas pointing to correct version) but when executingphonegapfrom command line, it was executing v6.0.2, which probably was not setting up the correct CSP.