Content Security Policy gets replaced when it contains line breaks

[light]

phonegap version 6.3.5

The phonegap cli tool adds its own values to the CSP tag when streaming to the phonegap mobile app, however when there are line breaks in the source tag it does not modify it but overrides it instead. It seems due to a regexp in https://github.com/phonegap/connect-phonegap/blob/0.24.0/lib/util/injector-transform.js which checks for a single line only.

[surajpindoria]

Hi @light,

This is currently how the CSP injection has been designed. Some additions to the CSP are required to allow the served app to work in the Developer App. We are aware that it can be a little frail due to the regex and are working on some potential new solutions to this issue. Sorry for any inconvenience in the meantime.

[timkim]

Hi @light

Yes, as @surajpindoria said, the csp for some apps needs to be replaced in order for critical features of the dev app to work. However, I have updated the regex to be more forgiving with the help of @mwbrooks . In addition, the changes to the regex should help some with some bugs regarding the csp.

[light]

Shouldn't the header be left alone when there is no CSP to begin with ? As of now a CSP tags gets injected with more stringent constraints on origins, for example if there is no img-src it will add one for 'self', data: and content:, but not * so loading of remote images will fail.

[filmaj]

Sounds like there is still an open question / issue here, right @timkim @surajpindoria ? We are injecting more CSP where we probably shouldn't? Any clarification on path forward to resolve this issue here?

[surajpindoria]

Yes, we do the CSP injection by first finding a particular string and then replacing from there.
<script type=\"text/javascript\" src=\"cordova.js\"></script>

Someone else recently brought up the case where they had removed script type from the tag and it wasn't working properly either. We need to come up with a better solution.