Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Not A Problem
-
None
-
None
-
None
-
Important
Description
When adding the WKWebView plugin to a Cordova project, the CSP meta-tag in externally hosted HTML file is probably not used/parsed, or there is another way to configure CSP for the plugin?
Have a working app using the default web view engine on iOS, when it is replaced with the WKWebView, the app will log thousands of messages to the console. The error also results in Cordova runtime and plugins not being loaded and not working in the app.
The plugin is added with the following elements in config.xml:
<feature name="CDVWKWebViewEngine">
<param name="ios-package" value="CDVWKWebViewEngine" />
</feature>
<preference name="CordovaWebViewEngine" value="CDVWKWebViewEngine" />
<plugin name="cordova-plugin-wkwebview-engine" spec="~1.1.2" />
To see this behavior, simply run the project in the simulator, and then debug using Safari and connect to simulator.
Output in Web Inspect in Safari:
[blocked] The page at about:blank was not allowed to display insecure content from gap://ready.
This is the current content of the CSP, have attempted many different variations with no success:
<meta http-equiv="Content-Security-Policy" content="frame-src * gap://ready; default-src 'self' gap://ready file://* *; connect-src * blob: data:; style-src * 'unsafe-inline'; script-src * 'unsafe-eval' 'unsafe-inline'; img-src data: *">
(CSP header taken from this issue: https://github.com/driftyco/ionic/issues/6928)
The errors is not logged when the index.html within the app is loaded, but appears when externally linked HTML is loaded. Redirect is done using JavaScript code that changes window.location.href.