Hi Jesse,
Did you ever finish your blog on this topic?
Now 2017 and learning about CSP & mobile app development w/Phonegap Build in general. Blowout intro to mobile dev. I've seen at
github (Content Security Policy) that
gap: is needed mainly for iOS using
UIWebView. I think UIWebView has phased out though, but not sure. I still use it in my config.xml because I really do want my app backwards compatible to iOS 6.1.6, just because -- not wholly sure if doing this correctly. I also have in my config.xml
webviewbounce -- both VIEWS though are under
preferences. Not sure if I should use both, but seems to work in iPhone 4 & 5 tests; working on 6 and above tests.
So, I am new to this CSP stuff, just stumbled into this apparently major security control yesterday. What I've learned, I need
content-security-policy and/or
content-security-policy-report-only as a <meta> tag in each HTML page. I am working out the details. So, any assist / revelations would help on this topic.
Perhaps I should have posted afresh but your topic is basically my topic.
And since goal is to Whitelist: I am not sure if I need in config.xml file both
allow-intent and
access origin="http://...." for
my whitelists to lock down to only allow specific links, since I read somewhere that access origin is used by iOS
& is part of W3C docs. I also read not to use access origin="*" for release apps.
Side question: I read somewhere that "gap:plugin" is an older method for plugins and to remove, so I've done so except for <gap:plugin name="cordova-plugin-whitelist" source="npm"/> -- but again, I am not sure if I should have kept "gap" tag for icons & splash screens.
Thanks for any assists from you, @Kerri Shotts, @Rob Willett, and/or anyone else in the know.