Re: CSP question

2015-05-27 Thread Raymond Camden
On Tue, May 26, 2015 at 7:12 PM, Steven Gill wrote: > Thanks for the blog post Ray! Link for the lazy > http://www.raymondcamden.com/2015/05/25/important-information-about-cordova-5 Thanks - I was the lazy one for forgetting to post it back here. ;) -- ==

Re: CSP question

2015-05-26 Thread Steven Gill
Nice tips Kerri! Thanks for the blog post Ray! Link for the lazy http://www.raymondcamden.com/2015/05/25/important-information-about-cordova-5 On Sun, May 24, 2015 at 5:36 PM, Raymond Camden wrote: > No worries -I appreciate the MDN link though - certainly better than > the old HTML5 rocks arti

Re: CSP question

2015-05-24 Thread Raymond Camden
No worries -I appreciate the MDN link though - certainly better than the old HTML5 rocks article. I'm blogging on the CSP changes (I had misunderstood them) based on conversations I had with Nic Raboy over on his blog post on the topic. Will post back here so folks can tell me if i screwed up. ;)

Re: CSP question

2015-05-24 Thread Kerri Shotts
That’s what I get for making assumption on other parts of the syntax. ;-) Wildcards just don’t automatically apply everywhere (sigh), even if they look like they could. Bad brain, bad brain! More coffee needed! On May 24, 2015 at 7:31:08 PM, Kerri Shotts (kerrisho...@gmail.com) wrote: My bad

Re: CSP question

2015-05-24 Thread Kerri Shotts
My bad! Clearly I glitched on that. You can wildcard subdomains and ports, but not url schemes: http://www.w3.org/TR/CSP/#source-list-syntax I’m going to blame my headache for that one! ;-) On May 24, 2015 at 7:22:44 PM, Raymond Camden (raymondcam...@gmail.com) wrote: Shoot, no, that doesn'

Re: CSP question

2015-05-24 Thread Raymond Camden
Shoot, no, that doesn't work either. It gives: The source list for Content Security Policy directive 'script-src' contains an invalid source: '*://code.jquery.com'. It will be ignored. On Sun, May 24, 2015 at 6:51 PM, Kerri Shotts wrote: > Ray, > > According to > https://developer.mozilla.org/e

Re: CSP question

2015-05-24 Thread Kerri Shotts
Ray, According to https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, if you omit the URL scheme, the one the page is using is assumed. So if you’re loading off file://, then your CSP will assume that URLs without schemes will also be coming from file://. Which is

CSP question

2015-05-24 Thread Raymond Camden
According to the HTML5 Rocks article on CSP (http://www.html5rocks.com/en/tutorials/security/content-security-policy/) you can specify just the host portion. So I tried this to load jQuery (which, I wouldn't do normally, I'd host it locally): https://ssl.gstatic.com 'unsafe-eval'; style-src 'self'