How to allow remote image src URLs in Apache Cordova app
I'm migrating create-react-app to Apache Cordova. My relative URLs to static images are working. Ex: ./images/path/to/file.jpeg
But in the iOS simulator I can't reference remote image sources in an S3 bucket. Ex: //s3-us-west-2.amazonaws.com/bla/bla/bla/8CCE-B64FD7247407.jpeg?1617374606
I think this is a security configuration issue, but I'm not sure. This is what is currently in my config.xml file:
<access origin="*" allows-local-networking='true' />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<allow-intent href="*" />
<platform name="android">
<allow-intent href="market:*" />
</platform>
<platform name="ios">
<allow-intent href="itms:*" />
<allow-intent href="itms-apps:*" />
<allow-intent href="*" />
</platform>
I currently have no <meta http-equiv="Content-Security-Policy" content="..."> in my index.html file.
What am I doing wrong?
Updates 1&2
I tried updating my config.xml file to include:
<allow-intent href="//:*/*" />
<access origin='*' allows-arbitrary-loads-for-media='true' allows-arbitrary-loads-in-web-content='true' allows-local-networking='true' />
Unfortunately this didn't work.
Like @DaveAlden suggested, it looks like this might be a CSP problem...
My original index.html file does not include the Content-Security-Policy meta tag at all, but when I run the cordova app in the browser and view the source. This is what I see:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
Now I think my question is: Where is that CSP coming from? And, how do I modify it?
For a moment I was scratching my head as to why remote images are working in the browser because my understanding is that img-src 'self' should disallow <img src="//:bla-bla.amazonaws.com/bla/bla" />. I think part of the explanation is that when I use the dev tools to inspect the <head> of the document, I see a different CSP tag than when I view source.
👆This CSP matches what I currently have in my index.html file before running cordova run ....
It seems like somehow Cordova is using a different, default CSP for iOS but somehow overriding it in the browser. I'm confused.
** Update 3**
I searched the files of my project and I discovered that the mysterious CSP (that I'm seeing in the browser) matches the default "template" policy listed on the cordova-plugin-whitelist README. <-- This suggests to me that my src index.html isn't getting used at all, and Cordova is falling back to an internal default.
Rrrrrrrr... I discovered that I can debug the iOS simulator using Safari and the CSP looks correct! I double-checked this in Safari and Chrome and they both show the correct CSP as well. So it appears that Firefox is showing something confusing when I click "View source" (I still can't explain this part) but this was a distraction from the real issue...
iOS is trying to request the remote image file with an incorrect file:// prefix. I think this is connected to the fact that the AWS URLs don't specify the protocol. Ex: //s3-us-west-2.amazonaws.com/bla/bla/...
The browsers seem to handle this just fine. But in the iOS simulator, it seems to think it's a local file. Notice that it has a file:// prefix.
I changed the API to return https:// and now it works in the simulator.
- OAuth SignIn Cordova Firebase
- How to get a JSON object of all files and folder structure
- Impossible build Ionic for Android
- Debugging a WebView (Ionic) app on Android via logcat
- Detect Back Button in Navigation Guards of Vue-Router
- Get previous page phonegap javascript
- Protect the app from bypassing the root detection (Frida Server)
- Ionic 3 - How to get application version number?
- Android webview keyboard covering up input
- How can I leverage the 'Go' or 'Submit' button on a mobile software keyboard in a HTML5 app?
- WebView flickering when keyboard show up in PhoneGap app
- Unable to load contents of file list: '/Target Support Files/Pods-Target Name/Pods-Target Name-frameworks-Debug-input-files.xcfilelist'
- How to use Google Login API with Cordova/Phonegap
- Extremely low running cordova app compared to smooth browser navigation
- Is there a way to let the app go behind the notch in Android phones using Cordova?
- How to link Cordova app to App Store?
- how can cordova open app from http or https url?
- Passing Array parameter to SQLiteObject.executeSql()
- Which is the best way to store local data with cordova?
- Can't Publish Another App on PlayStore: "Use another code version for your app"
- Not showing placeholder for input type="date" field
- Error: ANDROID_HOME is not set and "android" command not in your PATH. You must fulfill at least one of these conditions.
- How can I check if cordova is ready if the deviceready event has already fired?
- How to host material icons offline?
- Android - What is the target-script-min.js Script Connected from 192.168.1.128:8080?
- How to use the events 'pause' and 'resume' in an Angular/Ionic project?
- Sockets not connecting when running on release build
- How to build out ionic app
- Error: SetSite failed for package [ApacheCordovaToolsPackage]
- iOS how to get the user id in the receipt returned from apple server-to-server notification