Content Security Policy Error: Script Blocking in Android Above Lollipop
When deploying a Cordova app on Android devices running Lollipop (Android 5.0.0) or higher, you may encounter the error message: "Refused to load the script because it violates the following Content Security Policy directive: 'script-src 'self' 'unsafe-eval' 'unsafe-inline'." This indicates that the app's default Content Security Policy (CSP) is blocking the loading of a script from an external domain.
Default CSP for Android KitKat and Below
The default CSP for Android KitKat (4.4.x) and earlier allows loading scripts from trusted sources, including the same domain as the HTML document ('self'), CDN (e.g., 'gstatic.com'), and local storage ('data').
Required Changes for Android Lollipop and Above
For devices running Lollipop or higher, the default CSP must be modified to explicitly allow loading scripts from external domains. This can be achieved by updating the tag responsible for defining the CSP.
Solution: Modifying the Content Security Policy
To fix the error, you can try updating the tag in your project's index.html file with the following content:
<code class="html"><meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;**script-src 'self' http://Guess.What.com 'unsafe-inline' 'unsafe-eval';**" /></code>
Replace "http://Guess.What.com/MyScript.js" with the actual URL of the script you wish to import. This modification allows the script to be loaded from the specified domain, resolving the CSP violation error.
The above is the detailed content of Why is my Cordova App Encountering a Content Security Policy (CSP) Error on Android Above Lollipop?. For more information, please follow other related articles on the PHP Chinese website!