EDIT : I've submitted the issue to their GitHub : https://github.com/OnsenUI/OnsenUI/issues/936
EDITÂ 2 : It's being taken care of ;)
(Sorry for my English, it's not my native language ;) )
This is my first question on stackoverflow. For now, I've always find that someone else have had the same problem as me, and got an answer.
But this time, I can't seem to find a solution, so either I'm the first one, or I'm missing something.
I'm developing a app for Windows Phone and Android (for now), using cordova, onsenui (so angular), and jQuery (thought I don't think this last one is causing trouble here).
I decided that I'll start using CSP the right way, to get a more secure app.
I've added <meta http-equiv="Content-Security-Policy" content="default-src 'self' http://foo.com> in the index.html page, to start with.
I've found that angular does a lot of unsafe things, and I learned about the ngCsp directive.
So now I have :
<html ng-app="app" ng-csp>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' http://foo.com>
<script src="lib/onsen-1.3.10/js/angular/angular.js"></script>
<script src="lib/onsen-1.3.10/js/onsenui.js"></script>
...
</html>
I don't get anymore CSP's errors about angular.js, but I keep getting some for onsenui.js (unsafe-inlines and unsafe-evals). For know, the only solution I've found is :
- to allow unsafe-inline in CSP
- to arrange the only line in onsenui.js that causes an unsafe-eval :
In onsenui.js, I've replaced line 4888 :
}(new Function("return this")()));
by :
}(function() {return this;}()));
So my question is : am I the only one out there having this problem ? Does someone here is using cordova, onsenui, and CSP without any problem ? I'd rather not put 'unsafe-eval' in the CSP meta, and I'd like to remove the 'unsafe-inline'.
Sorry for this long post, and thank you for your help ! ;)
