Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

phonegap + ionic using Content-Security-Policy to load maps.googleapis.com, how to?

i have tried many ways of loading google maps and firebaseio without success: this is what i have now:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com;
  script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';">

and i get:

Refused to load the script 'https://maps.googleapis.com/maps/api/js?libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval'".

Refused to load the script 'https://test.firebaseio.com/.lp?start=t&ser=79549912&cb=1&v=5' because it violates the following Content Security Policy directive: "script-src 'self' https://maps.googleapis.com/* 'unsafe-inline' 'unsafe-eval'".

any ideas what am i doing wrong?

like image 711
Patrioticcow Avatar asked Jul 11 '15 07:07

Patrioticcow


2 Answers

this did the trick :)

<meta http-equiv="Content-Security-Policy"
          content="default-src *;
               script-src 'self' 'unsafe-inline' 'unsafe-eval'
                           127.0.0.1:*
                           http://*.google.com
                           http://*.gstatic.com
                           http://*.googleapis.com
                           http://*.firebaseio.com
                           https://*.google.com
                           https://*.gstatic.com
                           https://*.googleapis.com
                           https://*.firebaseio.com
                           ;
               style-src  'self' 'unsafe-inline'
                          127.0.0.1
                           http://*.google.com
                           http://*.gstatic.com
                           http://*.googleapis.com
                           http://*.firebaseio.com
                           https://*.google.com
                           https://*.gstatic.com
                           https://*.googleapis.com
                           https://*.firebaseio.com
">

and the google script <script src="https://maps-api-ssl.google.com/maps/api/js?libraries=places"></script>

like image 119
Patrioticcow Avatar answered Oct 14 '22 23:10

Patrioticcow


for development without any restrictions use:

<meta http-equiv="Content-Security-Policy" 
      content="default-src * 'unsafe-eval' 'unsafe-inline'">
like image 42
dimention Avatar answered Oct 14 '22 22:10

dimention