I have a phonegap application, that was working properly until last friday, when it stoped from being accept in apple store with the following message:
This app attempts to access privacy-sensitive data without a usage description. The app's Info.plist must contain an NSPhotoLibraryUsageDescription key with a string value explaining to the user how the app uses this data.
This app attempts to access privacy-sensitive data without a usage description. The app's Info.plist must contain an NSBluetoothPeripheralUsageDescription key with a string value explaining to the user how the app uses this data.
This app attempts to access privacy-sensitive data without a usage description. The app's Info.plist must contain an NSMicrophoneUsageDescription key with a string value explaining to the user how the app uses this data.
To correct this issue, after some research, I come to the following solution, to add some cordova plugins in my config.xml file:
<plugin name="cordova-plugin-media-capture" source="npm" spec="1.4.0">
<variable name="MICROPHONE_USAGE_DESCRIPTION" value="App would like to access your microphone." />
<variable name="CAMERA_USAGE_DESCRIPTION" value="App would like to access the camera." />
<variable name="PHOTOLIBRARY_USAGE_DESCRIPTION" value="App would like to access the library." />
</plugin>
<plugin name="cordova-plugin-ios-ble-permissions" source="npm" spec="*">
<variable name="BLUETOOTH_USAGE_DESCRIPTION" value="App would like to access your bluetooth." />
</plugin>
This solved the problem in the apple store, and I confirmed that the Info.plist file have all this variables there.
But now the app freezes/crashes in, and only in iOs10 devices.
I'm asking for some guidance/help to identify what could be this problem source.
Thank you all in advance.
EDIT:
Finnaly was able to debug the app remotely and find out some errors like this:
[Error] Refused to load data:text/javascript;charset=utf-(...)-app-shell.html-170.js%0A because it does not appear in the script-src directive of the Content Security Policy
My current meta tag has this values:
<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; img-src 'self' data: blob: *; media-src 'self' mediastream: blob:; connect-src * blob:">
and whitelist configuration:
<plugin name="cordova-plugin-whitelist" spec="1.3.1"/>
<access origin="*"/>
<allow-navigation href="*"/>
<allow-intent href="http://*/*"/>
<allow-intent href="https://*/*"/>
<allow-intent href="tel:*"/>
<allow-intent href="sms:*"/>
<allow-intent href="mailto:*"/>
<allow-intent href="geo:*"/>
any tip of what im doing wrong?
It might be caused by Content-Security-Policy.
try to add the default-src gap: in the <meta> tag.
e.g:
<head>
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' gap: wss: ws:; font-src * data:; img-src * data:; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'">
</head>
ref:
"No Content-Security-Policy meta tag found." error in my phonegap application
Solved it!
In the meta tag instead of:
script-src 'self' 'unsafe-inline' 'unsafe-eval' *
I added:
script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *;
Related
I'm getting a bunch of Content Security Policy errors in Electron developer console for adding google font :
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Inter:wght#300;400&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data:". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
I'm using electron-forge's React with TypeScript boilerplate.
Easiest way would probably be to set a Content-Security-Policy meta tag in the header of your template like this:
<head>
<meta charset="UTF-8">
<!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self';
script-src 'self';
font-src 'self' https://fonts.gstatic.com;
style-src 'self' https://fonts.googleapis.com">
<!-- ...other stuff... -->
</head>
Guide on how to use these is here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies
I'm currently in my first hours of electron myself, without react for now, and that's how I got around it and I think that's how you're supposed to do it.
I'm new to ionic developement, and have been facing some problem with InAppBrowser.
My app is suposed to be a WebView, running on InAppBrowser, the target that i'm providing is "_blank" because i need the events to detect when a pdf url gonna be open, so i can open that url with browserTabs, it's works fine on android.
But i can't make it work on IOS, when i set the target as "_blank", i get a white screen, it's only works with target as "_self" but from what i could see the events doesn't work with "_self".
I've tried add in these tags on my config.xml:
<allow-intent href="*" />
<allow-navigation href="*" />
<access origin="*" />
I've tried add in the CSP on my index.html
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
None of theses tags worked.
So, if anyone has a light of what i could do, i would be very thankfull.
Edit 1: Codes:
browserOptions: string = "location=no,beforeload=yes,toolbar=no";
openInAppBrowser(urlToOpen: string) {
this.browser = this._inAppBrowser.create(urlToOpen, '_blank',this.browserOptions );
this.browser.on("beforeload").subscribe( event => {
if(event.url.match("/report") || event.url.indexOf("/relatorio")>0) {
this._browserTab.isAvailable()
.then(isAvailable => {
if (isAvailable) {
this._browserTab.openUrl(event.url);
}
});
}
});
}
I try to display a Facebook profil picture in my app, but it doesn't work...
I am using the latest version of Cordova on iOS. When I inspect with weinre, I have the correct URL, I can see the picture on my PC but not in the app.
I have the cordova-plugin-whitelist with:
<access origin="*" />
And I have tried with and without this meta:
<meta http-equiv="Content-Security-Policy" content="default-src * gap: ws: https://ssl.gstatic.com;img-src 'self' data: content:;style-src 'self' 'unsafe-inline' data: blob:;script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;">
But nothing works. Tell me if you need more information.
Thanks for your help, and excuse my English.
Edit:
Example of URL for img: https://scontent.xx.fbcdn.net/v/t1.0-1/c15.0.50.50/p50x50/10354686_10150004552801856_220367501106153455_n.jpg?oh=978df650af5b925f321fe4050af2869f&oe=5911542F
my html code for img:
<img src="https://scontent.xx.fbcdn.net/v/t1.0-1/c15.0.50.50/p50x50/10354686_10150004552801856_220367501106153455_n.jpg?oh=978df650af5b925f321fe4050af2869f&oe=5911542F">
I answer to my question:
it never works when i test on phonegap app (on iphone) but if i install my app (on iphone) it works without this meta:
<meta http-equiv="Content-Security-Policy" content="default-src * gap: ws: https://ssl.gstatic.com;img-src 'self' data: content:;style-src 'self' 'unsafe-inline' data: blob:;script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;">
but if i put this meta it doesn't work.
If someone have an issue to make it works on phonegap app?
I try this way:
<div id="contenedor">
</div>
</body>
<script>
$('<iframe src="http://XXXXX.org/" height="100%" width="100%" frameborder="0"></iframe>').appendTo('#contenedor');
</script>
or this way:
<body>
<div id="contenedor">
<iframe src="http://XXXXX.org/" style="width:100%; height:100%;">
</div>
</body>
Both works perfectly on Android but not on iOS. I'm using phonegap desktop 4.2.
I read all post about it here and changed config.xml many many times according the answers but nothing works on iOS.
Like:
<access origin="*"/>
<allow-intent href="http://*/*"/>
I changed this line too according other post but doesn't work too.
> <meta http-equiv="Content-Security-Policy" content="default-src *
> 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *; " />
I'm super stuck because works on Android but not in iOS.
In a Cordova app that I am working on there is an iframe. The problem is that when testing the app (both simulator and on device) the iframe is blank. On Android the iframe works perfectly however.
The iframe is loaded dynamicly in an Angular directive.
Within the directive link function the following code is used to load and append the iframe to the directive's element:
var iframe = angular.element('<iframe class="widget" width="' + widgetWidth + '" height="' + widgetHeight + '"></iframe>');
iframe.attr('src', url);
element.append(iframe);
I have also tried using something in the following lines:
var iframe = document.createElement('iframe');
iframe.src = url;
This results in somthing like the following (using Safari web inspector):
<iframe class="widget" width="384" height="505" src="http://hostname/correct/uri"></iframe>
In my index.html file I have the following set:
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-eval'; connect-src * 'unsafe-eval'; object-src 'self'; style-src * 'unsafe-inline';">
I also have the following lines in my cordova config.xml:
<access origin="*" subdomains="true" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
There is also no errors or warnings in Safari Web Inspector.
So my question is, is there some trickery to get iFrames to work in Cordova iOS apps that I am missing. Or what is wrong with my current config/code?
I am using angularjs 1.5.3 and have jquery 2.2.1 (loaded before angularjs) in case that helps.
The problem was the allow-navigation tag. So to solve it I only had to put the <allow-navigation href="*" /> tag into the project's config.xml file.
I came to the solution through the output box in xcode while the simulator was running. There was a message containing the url of the iframe in question and something about "internal navigation rejected".
Have you tried setting child-src and/or frame-ancestors in the Content-Security-Policy meta tag? These may need setting to * also or something more restrictive like just the iframe source URL(s) you are using.
There's information about this at content-security-policy.com
Example based on your content security policy:
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-eval'; child-src *; connect-src * 'unsafe-eval'; object-src 'self'; style-src * 'unsafe-inline';">