Comments (7)
Hi, thanks for feedback
I'll provide fix as soon as possible
from cordova-broadcaster.
fixed provided in version 2.0.6
from cordova-broadcaster.
The fix in f8ded25 doesn't seem to have worked.
I will open a new issue.
12-02 08:56:27.650 22195-22195/edu.berkeley.eecs.emission I/chromium﹕ [INFO:CONSOLE(1070)] "Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://berkeley.qualtrics.com https://jfe-cdn.qualtrics.com".
from cordova-broadcaster.
Hi thanks for feedback
Probably it is related to origin access and solution could be found here
from cordova-broadcaster.
Try this declarations in your index.html
Content Security Policy
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
On Android and iOS, the network request whitelist is not able to filter all types of requests (e.g. <video>
& WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy <meta>
tag on all of your pages.
On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
Here are some example CSP declarations for your .html
pages:
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
<!-- Allow requests to foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
<!-- Enable all requests, inline styles, and eval() -->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allow XHRs via https only -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
from cordova-broadcaster.
Yes, I can confirm that, as I had commented in #5 (comment), specifying 'unsafe_eval'
in the CSP works. But that doesn't change the fact that sendJavascript
is deprecated as described in the comment above. It was deprecated in 2014 and I am not not sure when it will be removed.
We should switch to the bridge instead...
from cordova-broadcaster.
Hm on the other hand, from http://markmail.org/thread/lasyzbmq2bckkga6, Andrew Grieve, May 26, 2014 6:34:37 pm
Might be one of those leave it @deprecated forever kind of things.
from cordova-broadcaster.
Related Issues (20)
- What is {"isTrusted": false} being appended in the listener? HOT 2
- How to get data back from object, not userInfo HOT 2
- Send JSONObject as Bundle not working for Android HOT 8
- Json for android is introducing "namevaluepairs" as key HOT 4
- Accept external program broadcast HOT 3
- PR to ionic-native
- package android.support.v4.content does not exist HOT 6
- Fairing an event from the iOS side to JS side is not getting received HOT 4
- Failing to send broadcast from javascript to native HOT 1
- Display push notification to user when application is in foreground HOT 2
- Might be only me but i'm hvaing other build issues with backwards compatability HOT 4
- Move to Android:Kotlin implementation
- Move to IOS:Swift implementation
- How to incorporate into existing plugins HOT 1
- LocalBroadcastManager is now depreciated HOT 2
- Receive broadcast data from external barcode scanner HOT 7
- probable android x support issue, app does not work after adding plugin, gradle error HOT 3
- Description of the plugin is unclear HOT 3
- Cannot find symbol "LocalBroadcastManager" HOT 6
- Ionic 5 + Capacitor - How to implement external broadcaster ? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cordova-broadcaster.