No access to external resources (mobile app)

Mr.Rubi · September 20, 2020, 6:01am

I’m stumped.

My mobile app has two external sources:

Fonts: https://fonts.googleapis.com
My server with data: https://serverapp.xxxxxxx.com

In the future, fonts will be moved to local app resources. Now I use them as a test.

So. I at first encountered a CORS problem when I was getting data from my server. After studying the problem and configuring the hosting, I solved it. The data began to arrive correctly.

Then I set up the CSP policy:

 <meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: https://*.googleapis.com https://serverapp.xxxxxxx.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com ; media-src *; img-src 'self' https://serverapp.xxxxxxx.com data: content:;">

Checked the settings of the “cordova-plugin-whitelist” plugin:

    <access origin="*" />
    <allow-intent href="http://*/*" />
    <allow-intent href="https://*/*" />

But every time I check, I get the same result: there are no errors in the browser (developer console), the app works correctly in the emulator, but when building and installing on a smartphone, the app has no data from my server and no Google fonts.

@Dave @mebeingken @s.alpaslan Perhaps faced with something similar? Any ideas?

Thank you in advance

s.alpaslan · September 20, 2020, 10:13am

hello @Mr.Rubi ,

my CSP policy ;

<meta http-equiv="X-Content-Security-Policy" content="img-src 'self' data:; default-src 'self' 'unsafe-inline'; https://yourdomain.com/*/ https://*/ https://yourdomain.com/*/ script-src 'self' 'unsafe-eval'; object-src 'self';">

please try

Dave · September 20, 2020, 12:07pm

Also the Whitelist plugin can cause this issue, a known problem. Delete the directory for the Whitelist Plugin. It will be automatically created again upon building the Project. Serhat’s CSP all looks good too. The combination of applying both should rectify the issues you are seeing hopefully.

Mr.Rubi · September 20, 2020, 1:20pm

@s.alpaslan Thanks for the offer. But switching to this CSP setting immediately causes CSP errors in my app. Errors are treated only by returning to my settings.

However, the interesting thing is that I don’t understand your version at all. But if it works, it means I didn’t fully understand the CSP settings. So thank you very much for giving me something to think about. I will continue to study CSP for a better understanding.

@Dave This is your Cup! I didn’t know there is such a problem with the Whitelist plugin. As soon as I deleted the plugin folder and rebuilt the app, everything worked! Great joy!

Thank you guys again for your help!

Dave · September 20, 2020, 1:54pm

I did mean to say ‘little known problem’. Stumbled upon it by accident and went through everything to try and resolve the issues and finally landed upon the Whitelist issue. Really happy it worked for you!