Content-Security-Policy breaking console.log output

Question

Developing an app on version 5 of cordova (using the phonegap framework). The latest updates request you use a Content-Security-Policy meta tag as per their documentation: https://github.com/apache/cordova-plugin-whitelist

Here's my tag for the app:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.com">

When I include this everything works fine except console.log messages do not get pushed to terminal when running "phonegap serve" (a tool provided to 'test' your app using an app pre-installed on your device).

However if i remove the tag from my code then console.log messages get pushed to terminal correctly but i can no longer make data requests to my example.com domain.

I've tried many variances using http://content-security-policy.com/ as a guide but i can't get it to work correctly.

Note: This is a new facility in v5 of cordova, as previously this was all working without a problem.

Answer 1

Here an example of my settings in Content-Security-Policy. I don't have * in production, but then I have * replaced with all accepted locations.

Also I needed to add gap://ready for the IOS platform. Not quite sure why this needed, but when I debugged on IOS I saw that it threw an error on gap://ready.

<meta http-equiv="Content-Security-Policy" content="default-src 'self' * gap://ready; style-src 'self' 'unsafe-inline' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *">

With above line my console.log() message do appear.