2

I am building an app for our company. We are having an iframe (don't ask why...) loading a responsive website. It is (should) be transparent for the user.

I added few js lines in order to manage offline pages.

It is running well on android simulator (cordova with Visual Studio) and android Device. However I am facing a content-security-policy that I suspect to be the source of this error:

deviceready has not fired after 5 seconds

From what I have read it could come from content security policy.

I got this error on run:

Refused to load frame 'gap://ready' because it violates the following Content Security Policy directive: "default-src 'self' https://www.mywebsite.fr http://www.mywebsite.fr". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

What do you think of this meta:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://www.mywebsite.fr http:///www.mywebsite.fr; child-src 'self' https:///www.mywebsite.fr http:///www.mywebsite.fr; script-src 'self' https:///www.mywebsite.fr http:///www.mywebsite.fr; 
         gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

And my config.xml:

  <access origin="https:///www.mywebsite.fr" />
<access origin="http:///www.mywebsite.fr" />

Thanks for your time,

Stéf.

Sulot
  • 504
  • 2
  • 6
  • 20

1 Answers1

1

The CSP error gives you all of the details. You do not have a 'frame-src' directive specified so it is falling back to 'default-src' which does not whitelist the gap: protocol.

You have two choices:

1) Add gap: to your 'default-src'.

2) Add a 'frame-src' directive and add gap: to that.

If you go for 2, you may also want to add the 'child-src' directive for future compatibility with the same value as 'frame-src'.

Scott Helme
  • 4,786
  • 2
  • 23
  • 35