Content Security Policy causing problems on iPhone

Question

Content Security Policy causing problems on iPhone

Closed this issue 3 years ago · 1 comments

Hi all, I have created an app and I am having trouble with the Content Security Policy. When testing everything works fine on Android however when on iOS I get the following error.

Origin null is not allowed by Access-Control-Allow-Origin.
XMLHttpRequest cannot load https://webaddress.org.uk/location/login.php due to access control checks.
Failed to load resource: Origin null is not allowed by Access-Control-Allow-Origin.

This is the relevant code. I am really baffled here.

I have the following in my HTML file:

<meta http-equiv="Content-Security-Policy"
		content="default-src * data: cdvfile: gap:;
		style-src 'self'  https://webaddress.org.uk/*
						  https://locations.webaddress.org.uk/*;
		script-src 'self' https://webaddress.org.uk/*
						  https://locations.webaddress.org.uk/* 'unsafe-inline' 'unsafe-eval'">

and the following in my config.xml file:

    <content src="index.html" />
	<access origin="*" />
	<allow-intent href="http://thepod.org.uk/*" />
	<allow-intent href="https://thepod.org.uk/*" />
	<allow-intent href="http:/locations.thepod.org.uk/*" />
	<allow-intent href="https://locations.thepod.org.uk/*" />
	<allow-intent href="tel:*" />
	<allow-intent href="sms:*" />
	<allow-intent href="mailto:*" />
	<allow-intent href="geo:*" />
	<platform name="android">
		<allow-intent href="market:*" />
	</platform>
	<platform name="ios">
		<allow-intent href="itms:*" />
		<allow-intent href="itms-apps:*" />
	</platform>

I am using cordova-plugin-whitelist.

Answer 1 · 2021-06-05T21:03:07.000Z

That isn't a content security issue, its cors issue (two independent browser security features).

Cors is a backend server configuration thing. If you're hitting an external server, then you must configure the server to respond to the request with the appropriate headers. I have a blog post that goes into more detail.

If you're hitting a local endpoint, such as attempting to load an angular template for example, then you must either enable schemes[1] or use an xhr fix plugin[2].

[1] schemes were introduced as part of the UIwebview to wkwebview migration: https://cordova.apache.org/howto/2020/07/18/uiwebview-warning.html

OR

[2] https://github.com/oracle/cordova-plugin-wkwebview-file-xhr

Since this isn't a bug I'll be closing this issue. If you require more assistance, our slack community can help you out.