apply content security policy in mobile app

apply content security policy in mobile app

  

hi there, in service center for mobile application i cannot see the security tab to apply content security policy. Where is it and what role must i have? thank you

Hey Ofast,

The Content Security Policy feature is available for mobile applications only since version 10.0.200.0. 

However, the security tab was hidden until the version 10.0.405.0, that is out since yesterday!

I would ask you to please upgrade your version. If you need any help on that, please contact Support.


Thank you,

Regards

Lara Luís wrote:

Hey Ofast,

The Content Security Policy feature is available for mobile applications only since version 10.0.200.0. 

However, the security tab was hidden until the version 10.0.405.0, that is out since yesterday!

I would ask you to please upgrade your version. If you need any help on that, please contact Support.


Thank you,

Regards

I have upgraded the service studio to:

For web, the tab security shows up, but not for the mobile. How to set to show it? 

thank you,

indra

Hey,

Was the environment that you are using upgraded to that version too?


Regards

Lara Luís wrote:

Hey,

Was the environment that you are using upgraded to that version too?


Regards


No, the environment is 302. thank you.

Hey,

The environment needs to be upgraded too, otherwise you will not be able to see the tab.

Let me know if it works as expected after the environment upgrade.


Thank you!

Regards

Hi Lara,

We faced this issue 'Refusedto load gap://ready because it does not appear in the frame-src directive ofthe Content Security Policy' in iOS platform. does it relate with our platform that is using 10.0.302 ? Do you have any idea how to solve this issue ? Thank You


Warm Regards,

Sanledi Buli

Hi Sanledi, I have fixed this issue in one application. 

Afters some search on the webs I found that iOS version 10 implemented some enforcement of CSP.

In another search, I found some GitHub projects with this problem and in the fix of one project there was this interesting comment:
<!-- Good default declaration:
   * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
...
-->

So I went to ServiceCenter and in the application security tab (Factory > Applications > Application > Security) I added gap: to Child-src, Default-src and Frame-ancestors. You can see an example at the image bellow.This fixed the issues in the mobile application.

Hope it helps. Kind regards,

Diogo Paulo

Diogo Paulo wrote:

Hi Sanledi, I have fixed this issue in one application. 

Afters some search on the webs I found that iOS version 10 implemented some enforcement of CSP.

In another search, I found some GitHub projects with this problem and in the fix of one project there was this interesting comment:
<!-- Good default declaration:
   * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
...
-->

So I went to ServiceCenter and in the application security tab (Factory > Applications > Application > Security) I added gap: to Child-src, Default-src and Frame-ancestors. You can see an example at the image bellow.This fixed the issues in the mobile application.

Hope it helps. Kind regards,

Diogo Paulo

Hi Diogo,

Thank you very much for your feedback.

About your environment server, which version are you using ? Thank You

Warm Regards,

Sanledi Buli

Hi Sanledi, I am using 10.0.405.0.

But like I said in my previous post this seems to be a problem that is related to the version of the iOS device. It doesn't have anything to do with the version of the platform.

I was doing my tests in a iOS version 9 and I did not see any problems until someone lend me a phone running iOS version 10.

Hope you can overcome your problems with this information.

Kind regards,

Diogo Paulo

Hey Sanledi,

The problem that you mentioned and for which Diogo provided a solution is related to iOS version 10. The solution that Diogo provided implies that you set the Content Security Policy settings for the mobile application using Service Center. 

Unfortunately, you will only be able to see that security tab (where Content Security Policy settings are) on version 10.0.405.0. If you are using version 10.0.302, you will not be able to see that tab yet. 

After upgrading your environment to version 10.0.405.0 and try the Diogo solution, everything should work!

Let me know if you need more explanations on this issue.

Best regards,

Lara

Diogo Paulo wrote:

Hi Sanledi, I am using 10.0.405.0.

But like I said in my previous post this seems to be a problem that is related to the version of the iOS device. It doesn't have anything to do with the version of the platform.

I was doing my tests in a iOS version 9 and I did not see any problems until someone lend me a phone running iOS version 10.

Hope you can overcome your problems with this information.

Kind regards,

Diogo Paulo

Thank you very much Diogo, I just mentioned the OS platform because I can't found how to implement your feedback.

Lara Luís wrote:

Hey Sanledi,

The problem that you mentioned and for which Diogo provided a solution is related to iOS version 10. The solution that Diogo provided implies that you set the Content Security Policy settings for the mobile application using Service Center. 

Unfortunately, you will only be able to see that security tab (where Content Security Policy settings are) on version 10.0.405.0. If you are using version 10.0.302, you will not be able to see that tab yet. 

After upgrading your environment to version 10.0.405.0 and try the Diogo solution, everything should work!

Let me know if you need more explanations on this issue.

Best regards,

Lara

Thank You very much Lara. I think your explanation is very helpful.

Hi Sanledi, are you adding the meta tag manually?

If so, try adding something like:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:; style-src 'self' 'unsafe-inline'; media-src *">

The above line is an example it does not have to be exactly equal to this the important part is the gap: .

Kind regards,

Diogo Paulo

Diogo Paulo wrote:

Hi Sanledi, are you adding the meta tag manually?

If so, try adding something like:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:; style-src 'self' 'unsafe-inline'; media-src *">

The above line is an example it does not have to be exactly equal to this the important part is the gap: .

Kind regards,

Diogo Paulo

Hi Diogo,

We didn't added the meta tag manually, and I'm afraid there's no way to do it. But base on you and Lara feedback, currently I know why our environment couldn't set the content secure policy. Furthermore we have to upgrade our platform to 10.0.405.

Warm Regards,

Sanledi Buli