Content Security Policy Problem.

[DL]

Good evening,

I need to get the registration event id, to make a push notifications app.

This console.warn CSP is always keep warn me and i'cant even have the registration event id.

Could someone please help me how to solve it?

Please refer to the attachment uploaded.

Thanks.

[Pete]

I would strongly suggest you read this page and really learn CSP.  It will be worth your while because you want to lock down as much as you can.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Next, I couldn't tell what, if any violation you were generating from that screen shot.

I know how frustrating CSP can be so here's one of mine:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' filesystem: gap: https://*.mydomain.com/ https://maps.googleapis.com/; style-src 'self' 'unsafe-inline' https://*.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; script-src 'self' 'unsafe-inline' https://maps.googleapis.com/; img-src 'self' data: https://*.gstatic.com/ https://*.googleapis.com/; connect-src 'self' https://*.mydomain.com/ ws://localhost:*; media-src *">

This allows me to run javascripts locally, run php scripts on my server, get images from my server, access the device file system, play media files, use google maps and geocoding etc.

On the server side I use a script to capture and email the CSP violations to myself. You can enable server side CSP logging by implementing the report-uri tag and the script url.  report-uri is deprecated and browsers that support the new report-to tag will ignore report-uri.  You can read all about it in the link I provided. For now, report-uri seems to be working on iOS and Androd but test it on your flavor.

<?php 

// Note: this script requires PHP = 5.4.

define('EMAIL', 'ad...@mydomain.com');        // Specify the email address that receives the reports.

define('SUBJECT', 'mydomain CSP violation');         // Specify the desired email subject for violation reports.

// Send `204 No Content` status code.

http_response_code(204);

// Get the raw POST data.

$data = file_get_contents('php://input');

// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an

// empty string, i.e. if it could be a CSP violation report.

if ($data = json_decode($data))

{

// Prettify the JSON-formatted data.

$data = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES );

  

// Mail the CSP violation report.

mail(EMAIL, SUBJECT, $data, 'Content-Type: text/plain;charset=utf-8');

  error_log($data);

}

else

  error_log("Empty CSP violation string");

?>