Recently I was building a reusable places autocomplete module requireing to load script from googleapis.com. I quickly found that only for production iOS I need to add <meta http-equiv="Content-Security-Policy"> with proper content. While I have in my backlog to address CSP properly, this time I wanted to add minimum and start to think about it as was unable to found all the info I need…
-
what are particular equivalent CSP values when there is no
<meta http-equiv="Content-Security-Policy">?
eg forscript-srcis the defaultinsecure-inlineinsecure-eval? -
are there CSP equivalents of cordova whitelist plugin tags in
config.xml? -
if I want to introduce security - how to deal with inline and eval cases? are there any nonce/hash plugins available?
-
how to distinguish between development and production?
-
what should be default CSP values to start with bare ionic apps?
-
is the
strict-dynamicsupported? if so how it can be used? -
should the Angular Meta service work to configure this dynamically? OR maybe some better ionic/capacitor/cordova plugin/module is missing to support management of access lists?