Cordova default CSP rules: Not very permissive


So, according to the docs:

For now, Meteor adds a permissive <meta http-equiv="Content-Security-Policy" content="..." header to the generated index page

It actually doesn’t. Because the camera plugin presents me then with this after I’ve taken a photo using FILE_URI (as is recommended by Cordova):

chromium: [INFO:CONSOLE(1193)] "Refused to connect to ‘file:///storage/emulated/0/Android/data/foo/cache/1541246318348.jpg’ because it violates the following Content Security Policy directive: “default-src * gap: data: blob: ‘unsafe-inline’ ‘unsafe-eval’ ws: wss:”. Note that ‘connect-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

Great. And I can’t override that with a <meta> tag of my own because the frickin’ whole thing then crashes on startup.

In essence, I can take a photo but can’t actually do anything with it.




And since that function is so well documented, I think I’ll now have to guess at what it does, then.

Thanks for at least pointing me in the right direction.



Listen, throwing everything onto a page without making clear how things are connected is not documentation.

The error message you get does not lead you in the correct direction. The problem with the “documentation” is that it is all over the place. You have to jump back and forth and then promptly miss things.

Especially when this whole thing is called a guide.

Do you know what my pupils would do to me if I taught them this way? They’d string me up on the next tree, that’s what. They’d also hang me for smart-ass one-word answers, by the way.