content-security-policy

I had a really weird bug where deviceready event would not fire in an iOS device until the user interacted with the OS itself, this is, pressing the front button, show the notification center with drag down or go to device settings dragging up. As soon as the user started dragging the iOS notification center, then deviceready fired. Something as simple as this would just not work: <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no, width=device-width" /> <meta http-equiv="Content-Security-Policy" content=

I noticed that GitHub and Facebook are both implementing this policy now, which restricts third party scripts from being run within their experience/site. Is there a way to detect whether a document is running against CSP using JavaScript ? I'm writing a bookmarklet, and want to give the user a message if they're on a site that doesn't support embedding a script tag. What about this. For slow connections, the timeout should probably be raised. Onload is what I used to detect it and it seems to work. If it loads then CSP obviously isn't enabled or it is configured improperly. var CSP = 0; frame

I have an error: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:" . Either the 'unsafe-inline' keyword, a hash ( 'sha256-...' ), or a nonce ( 'nonce-...' ) is required to enable inline execution. chrome-extension://ldbpohccneabbobcklhiakmbhoblcpof/popup.html:1 Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:" . the code popup.js $(document).ready

My Chrome app has the following manifest: { "name": ", "version": "1.0.3", "manifest_version": 2, "description": "Chrome Extension for.", "icons": { "16": "images/test.png", "19": "images/test.png", "256": "images/test.png" }, "app": { "background": { "scripts": [ "background.js" ] } }, "sandbox": { "js": [ "lib/test-api.js" ] }, "permissions": [ "<all_urls>", "notifications", "storage", "videoCapture" ] } I have a script file that runs eval . I have read about CSP and sandboxing, but I still get this error: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed

I am attempting to use the new Content Security Policy (CSP) HTTP headers on a test site. When I use CSP in conjunction with Modernizr I get CSP violation errors. This is the CSP policy I am using: Content-Security-Policy: default-src 'self'; script-src 'self' ajax.googleapis.com ajax.aspnetcdn.com; style-src 'self'; img-src 'self'; font-src 'self'; report-uri /WebResource.axd?cspReport=true These are the errors from the Chrome browser console: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline'