How to set Content Security Policy in Windows Universal apps

Question

I don't even know if that's what I need, but after several days of this MSDN Forum post with no answers at all I thought I'd give a shot in SO.

My problem: I have many Windows 8.1 and Windows Phone 8.1 HTML/Javascripts apps that have a little <script> sentence in the <head> of every html page. I started migrating my apps to Windows 10 as a single Universal Windows app but I get the following error:

CSP14312: Resource violated directive 'script-src ms-appx: data: 'unsafe-eval'' in Host Defined Policy: inline script. Resource will be blocked

and of course, nothing gets executed... am I missing anything?

edit: To repro just create a blank Windows Universal app with VS2015 RC and add

<script>
    console.log('hello');
</script>

right before the head tag closes

Answer 1

Rob has it right, by default you can't have inline script in ms-appx:/// protocol. This is the default protocol for an application and has a default CSP policy that doesn't allow inline script.

If you really wish to use inline script you can navigate to the content via ms-appx-web:/// protocol where there is no default CSP policy.

The one note is that you do not have access to some capabilities in this protocol.

The only difference I have beyond what Rob said is that you most likely want to set the Application Content URI Rule (ACUR) like this

<uap:ApplicationContentUriRules>
   <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="all"/>
</uap:ApplicationContentUriRules>

To navigate to your content you can set the StartPage in the manifest to ms-appx-web:///default.html

Answer 2

I assume that's not your real use case, but overall it depends on the specific script whether it will work in the local or web context. See Features and restrictions by context for an overview. If you can pull the script into a local JS file instead of calling it from the head then I would recommend that rather than fiddling with the app's security contexts.

Your console.log example works if it runs from the package (as you note) or if it runs in the web context. You can force the entire app to run in the web context by changing the start page to ms-appx-web:///default.html in the manifest.

However, since the app's now in the restricted web context it won't have access to all of the Windows Runtime. You can open that up by adding the following to the Application section in your manifest:

<uap:ApplicationContentUriRules>
   <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="allowForWebOnly"/>
</uap:ApplicationContentUriRules>

You'll need to open the manifest in a code editor rather than in the manifest editor to modify this section.

For more on the error see the Edge Console error and status codes documentation