Cordova local ajax request error

1
votes

I'm trying to retrieve informations from PHP script on localhost

app.js on Cordova application :

var url = 'http://localhost:8000/locations';

$.ajax({
   url: url,
      type: 'GET',
      contentType: "application/json",
      async: true,
      dataType: 'jsonp',
      crossDomain: true,
      success: function(resp){
          console.log(resp);
      },
      error: function(err) {}
});

and the php code (with Laravel framwork)

return Location::all()->toJson();

I have this error

Refused to load the script 'http://localhost:8000/locations?callback=jQuery21309354114597663283_1431278135791&_=1431278135792' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

2
javascriptajaxcordovalaravel

2 Answers

1
votes

You need to add policies to your Cordova app.

http://content-security-policy.com/

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Second link is exactly what you need, article is well written I can quote only:

https://apis.google.com/js/plusone.js in the context of this page’s origin. We trust that code, but we can’t expect the browser to figure out on it’s own that code from apis.google.com is awesome, while code from apis.evil.example.com probably isn’t. The browser happily downloads and executes any code a page requests, regardless of source.

Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.

1
votes

I just added this in the head tag

<access origin="*" />

and it works !