Bowser violates CSP due to inject of owr.js #74
Comments
|
@stefanalund - perhaps you know how to fix this? Can it be just a small change in the API or application options somewhere? |
|
There's a big trouble here since WKWebView blocks every mixed content on page and there's no exception to this rule at this time. I think the hole project should return to use UIWebView. |
|
This has been fixed: #72 (comment) |
|
Well, i think that #72 does not fix this ticket. Of course the https loading issue would be a problem, but i do not see how this fix could make the CSP accept the injection. |
|
Look what they did with Safari extension and you may have an idea of what to do. https://github.com/EricssonResearch/openwebrtc-browser-extensions/blob/master/safari/OpenWebRTC.safariextension/bootstrap.js |
|
Yep, you are correct. I was a bit quick to pull the trigger :-) Reopening. |
|
Yes @longsleep @lcamacho one idea is to do the same on iOS, i.e. to first download the contents of owr.js from within the application and inject it to the Would you guys be willing/able to try that yourselves? |
That results in the following:
|
Bowser does treat the locally injected owr.js as insecure and thus fails to load it for any pages which implemented a CSP.
Refused to connect to 'http://localhost:10717/owr.js' because it violates the following Content Security Policy directive: "connect-src 'self' wss://spreed.me/ws blob:".
13.01.2016 17:13:43
SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
This essentially makes it impossible to support Bowser with Spreed WebRTC as configured on https://spreed.me/ - The question for Bowser support came up in strukturag/spreed-webrtc#251
The text was updated successfully, but these errors were encountered: