Eri*_*sma 9 security webkit ios cordova content-security-policy
所以我制作了一个使用socket.io来做东西的phonegap应用程序.
我有以下内容安全策略(CSP)
<meta http-equiv="Content-Security-Policy" content="
default-src * data: blob: ws: wss:;
style-src * 'unsafe-inline';
script-src * 'unsafe-inline' 'unsafe-eval';
connect-src * ws: wss:;">
当我在safari/iOS上启动应用程序时,我收到以下错误:
Refused to connect to ws://10.0.1.63:3000/socket.io/?EIO=3&transport=websocket&sid=xTaMJwP3rVy3UnIBAAAi
because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.
和:
SecurityError (DOM Exception 18): The operation is insecure.
使用相同CSP的相同应用在Chrome/Android上运行良好,但在Safari/iOS上运行不正常.
我认为这与某些事情有关:
精致的内容安全策略(WebKit)
资源似乎出现了很多:
为什么它说"拒绝连接到"以ws开头的URL:"因为它既不出现在connect-src指令中,也出现在Content-Security-Policy的default-src指令中,即使它们都被提到了?
好吧,safari/iOS比chrome/Android更严格,一切都很好,但它仍然需要让我允许连接通过.对于应用开发者来说这真是令人沮丧!解决方案?
编辑:关于bugs.webkit.org的bug报告:https://bugs.webkit.org/show_bug.cgi ? id = 165754
Eri*_*sma 15
好的,所以这有点愚蠢,但好吧,我会保留这个答案,以便将来人们可以看到它,而不必处理这个问题
我做错了是:
我有以下头:
<head>
<meta charset="utf-8" />
<!--<meta http-equiv="Content-Security-Policy"
content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />-->
<meta http-equiv="Content-Security-Policy" content="
default-src * data: blob: ws: wss: gap://ready file://*;
style-src * 'unsafe-inline';
script-src * 'unsafe-inline' 'unsafe-eval';
connect-src * ws: wss:;">
<meta name="format-detection" content="telephone=no" />
<meta name="msapplication-tap-highlight" content="no" />
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src"/>
<link rel="stylesheet" type="text/css" href="css/reset.css" />
<link rel="stylesheet" type="text/css" href="css/index.css" />
<title>Kerst app!</title>
</head>
而且我没有注意到我有两次"Content-Security-Policy"元标记,
我知道对吗?重复导致iOS只采用更严格的最新版本.删除了副本,第一次工作.
最后是核心代码
<head>
<meta charset="utf-8" />
<!--<meta http-equiv="Content-Security-Policy"
content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />-->
<meta http-equiv="Content-Security-Policy" content="
default-src * data: blob: ws: wss: gap://ready file://*;
style-src * 'unsafe-inline';
script-src * 'unsafe-inline' 'unsafe-eval';
connect-src * ws: wss:;">
<meta name="format-detection" content="telephone=no" />
<meta name="msapplication-tap-highlight" content="no" />
<meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" />
<link rel="stylesheet" type="text/css" href="css/reset.css" />
<link rel="stylesheet" type="text/css" href="css/index.css" />
<title>Kerst app!</title>
</head>
| 归档时间: |
|
| 查看次数: |
11032 次 |
| 最近记录: |