My CSP line in main.html was a standard permissive one:
<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; img-src 'self' data: blob: *; media-src 'self' mediastream: blob:; connect-src * blob:" >
I decided to make it more restrictive, with specific allowed domains:
<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; font-src 'self' data: https://maxcdn.bootstrapcdn.com https://kit-free.fontawesome.com https://fonts.gstatic.com; script-src 'self' https://maps.googleapis.com https://kit.fontawesome.com; style-src 'self' https://kit-free.fontawesome.com https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data: blob: *; media-src 'self' mediastream: blob:; connect-src * blob:; object-src 'none'" >
The restrictive CSP works fine in the browser, but a user quickly informed me that their iPhone version was hung on the splash screen. I checked mine – same thing. I checked iOS simulator – same thing. Android phone – also hung.
Bad on me for not checking phone vs browser behavior, but this is a killer. Something about the restrictive CSP seems to cause hot code push to fail, leaving users hung on the splash screen, but far worse, it apparently updates the HCP status in a way that a subsequent fix (rolling back to the permissive CSP) will not HCP. The only way to fix this problem is to uninstall and reinstall the phone app. Yikes!
Does anyone have some info on what can go in a restrictive CSP that doesn’t clobber HCP? I’ll be checking out options myself, maybe it’s as simple as including the server domain in the CSP. But on a broader note, the fact that there is a way to break HCP so badly that you have to uninstall the phone app is, to me, pretty major. Before I open an issue in Github, I’d love to hear anyone’s advice/experience on this.