Thanks for the reply. Yes, the CSP rules are defined by the page that is loaded, wherever that is. The thing is that the behavior when loading that page from a remote server is different from the behavior when loading the page locally, even though its the exact same page.
I have <access origin="*"> and CSP "default-src *". When i have a local content src i can do any cross origin XHR's. Then i change content src to a server where i serve the platform/www folder of my cordova project, and suddently the same XHR's are blocked. So the behaviour is different just from one varialbe changning; content src. On 22 May 2015 at 02:27, Jesse <purplecabb...@gmail.com> wrote: > This is the intended behavior. The csp rules are defined by the page that > is loaded, wherever it is. > Pointing content.src to a remote server basically means, ignore anything > that is in www/index.html. > > @purplecabbage > risingj.com > > On Thu, May 21, 2015 at 2:16 PM, Pär <p.majh...@gmail.com> wrote: > > > When using a remote content src like <content src=" > > http://remoteserver.com/app/index.html";> the CSP rules seems to be > > ignored; > > cross origin requests fail even with a "default-src *" CSP. Is this > > intended behaviour or a bug? > > >
