"No Content-Security-Policy meta tag found." 我的 phonegap 应用程序出错
"No Content-Security-Policy meta tag found." error in my phonegap application
在我的系统中更新 Cordova 5.0 后,我创建了新的应用程序。当我在设备上测试我的应用程序时,控制台日志中出现错误:
No Content-Security-Policy meta tag found.
Please add one when using the Cordova-plugin-whitelist plugin.: 23.
我在头部添加元数据
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
但是,我又遇到了同样的错误,在我使用应用内浏览器插件和 7 个其他网站链接的应用程序中。
添加 cordova-plugin-whitelist 后,您必须告诉您的应用程序允许访问所有网页链接或特定链接,如果您想让它保持特定。
您只需将它添加到您的 config.xml,它可以在您的应用程序的根目录中找到:
文档中推荐:
<allow-navigation href="http://example.com/*" />
或:
<allow-navigation href="http://*/*" />
来自插件的文档:
Navigation Whitelist
Controls which URLs the WebView itself can be navigated to. Applies to
top-level navigations only.
Quirks: on Android it also applies to iframes for non-http(s) schemes.
By default, navigations only to file:// URLs, are allowed. To allow
other other URLs, you must add tags to your
config.xml:
<!-- Allow links to example.com -->
<allow-navigation href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-navigation href="*://*.example.com/*" />
<!-- A wildcard can be used to whitelist the entire network,
over HTTP and HTTPS.
*NOT RECOMMENDED* -->
<allow-navigation href="*" />
<!-- The above is equivalent to these three declarations -->
<allow-navigation href="http://*/*" />
<allow-navigation href="https://*/*" />
<allow-navigation href="data:*" />
您必须在应用 index.html
的标头部分添加 CSP 元标记
根据https://github.com/apache/cordova-plugin-whitelist#content-security-policy
Content Security Policy
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
On Android and iOS, the network request whitelist (see above) is not
able to filter all types of requests (e.g. <video> & WebSockets are
not blocked). So, in addition to the whitelist, you should use a
Content Security Policy
<meta> tag on all of your pages.
On Android, support for CSP within the system webview starts with
KitKat (but is available on all versions using Crosswalk WebView).
Here are some example CSP declarations for your .html pages:
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
<!-- Allow requests to foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
<!-- Enable all requests, inline styles, and eval() -->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allow XHRs via https only -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
您的元标记中存在错误。
你的:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
更正:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"/>
注意 "script-src" 后的冒号和元标记的结束双引号。
对我来说,问题是我使用的是 cordova 的过时版本 android 和 ios平台。所以升级到 android@5.1.1 和 ios@4.0.1 解决了它。
您可以升级到这些特定版本:
cordova platforms rm android
cordova platforms add android@5.1.1
cordova platforms rm ios
cordova platforms add ios@4.0.1
对我来说,重新安装 whitelist 插件就足够了:
cordova plugin remove cordova-plugin-whitelist
然后
cordova plugin add cordova-plugin-whitelist
从以前版本的 Cordova 更新似乎没有成功。
还有一个关于连接的问题。有些 android 版本可以连接,但有些不能。所以还有另一种解决方案
在AndroidManifest.xml中:
<application ... android:usesCleartextTraffic="true">
...
</application>
只需添加'android:usesCleartextTraffic="true"'
问题终于解决了。
在我的系统中更新 Cordova 5.0 后,我创建了新的应用程序。当我在设备上测试我的应用程序时,控制台日志中出现错误:
No Content-Security-Policy meta tag found.
Please add one when using the Cordova-plugin-whitelist plugin.: 23.
我在头部添加元数据
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
但是,我又遇到了同样的错误,在我使用应用内浏览器插件和 7 个其他网站链接的应用程序中。
添加 cordova-plugin-whitelist 后,您必须告诉您的应用程序允许访问所有网页链接或特定链接,如果您想让它保持特定。
您只需将它添加到您的 config.xml,它可以在您的应用程序的根目录中找到:
文档中推荐:
<allow-navigation href="http://example.com/*" />
或:
<allow-navigation href="http://*/*" />
来自插件的文档:
Navigation Whitelist
Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.
Quirks: on Android it also applies to iframes for non-http(s) schemes.
By default, navigations only to file:// URLs, are allowed. To allow other other URLs, you must add tags to your config.xml:
<!-- Allow links to example.com --> <allow-navigation href="http://example.com/*" /> <!-- Wildcards are allowed for the protocol, as a prefix to the host, or as a suffix to the path --> <allow-navigation href="*://*.example.com/*" /> <!-- A wildcard can be used to whitelist the entire network, over HTTP and HTTPS. *NOT RECOMMENDED* --> <allow-navigation href="*" /> <!-- The above is equivalent to these three declarations --> <allow-navigation href="http://*/*" /> <allow-navigation href="https://*/*" /> <allow-navigation href="data:*" />
您必须在应用 index.html
根据https://github.com/apache/cordova-plugin-whitelist#content-security-policy
Content Security Policy
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g.
<video>& WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy<meta>tag on all of your pages.On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
Here are some example CSP declarations for your
.htmlpages:<!-- Good default declaration: * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: * Enable inline JS: add 'unsafe-inline' to default-src * Enable eval(): add 'unsafe-eval' to default-src --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> <!-- Allow requests to foo.com --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> <!-- Enable all requests, inline styles, and eval() --> <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> <!-- Allow XHRs via https only --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> <!-- Allow iframe to https://cordova.apache.org/ --> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
您的元标记中存在错误。
你的:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
更正:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"/>
注意 "script-src" 后的冒号和元标记的结束双引号。
对我来说,问题是我使用的是 cordova 的过时版本 android 和 ios平台。所以升级到 android@5.1.1 和 ios@4.0.1 解决了它。
您可以升级到这些特定版本:
cordova platforms rm android
cordova platforms add android@5.1.1
cordova platforms rm ios
cordova platforms add ios@4.0.1
对我来说,重新安装 whitelist 插件就足够了:
cordova plugin remove cordova-plugin-whitelist
然后
cordova plugin add cordova-plugin-whitelist
从以前版本的 Cordova 更新似乎没有成功。
还有一个关于连接的问题。有些 android 版本可以连接,但有些不能。所以还有另一种解决方案
在AndroidManifest.xml中:
<application ... android:usesCleartextTraffic="true">
...
</application>
只需添加'android:usesCleartextTraffic="true"'
问题终于解决了。