locked
[UWP][HTML]How to set CSP in WUA to access a JS api, which is marked unsafe-eval RRS feed

  • Question

  • I am trying to use google maps API in my app. when I try to run this app getting run time error - 

    "CSP14312: Resource violated directive 'script-src ms-appx: data: 'unsafe-eval'' in Host Defined Policy: https://maps.googleapis.com/maps/api/js. Resource will be blocked."



    Thursday, May 14, 2015 8:57 PM

Answers

  • Or...alternately...here's what you could do without splitting the default.html or the iframe concept...

    1.) In your package.appxmanifest file, point your StartPage to: ms-appx-web:///index.html.

    2.) Doing this will cause your app package to point to the start page in the "web" context

    3.) Then add the following lines to the manifest file:

    <uap:ApplicationContentUriRules>
      <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="allowForWebOnly"/>
    </uap:ApplicationContentUriRules>

    If you don't do this, then you can't reference the Windows Runtime (default.js references Windows.ApplicationModel.Activation)

    And then you should be able to load the map successfully from the web context....


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    • Marked as answer by PS429 Friday, May 15, 2015 6:25 PM
    Friday, May 15, 2015 1:28 AM
    Moderator

All replies

  • Hi PS429,

    How are you defining your Content Security Policy? Can you send me a simple HTML page which demonstrates the problem alongwith the relevnt contents of the package.appxmanifest file?

    Or rather just upload a simple project to OneDrive/DropBox and I will take a look.

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Thursday, May 14, 2015 9:02 PM
    Moderator
  • You can download it from here - https://onedrive.live.com/redir?resid=e9b5d765ef06f0c1!1307&authkey=!AHvcEf9HKiEe7iQ&ithint=file%2czip
    • Edited by PS429 Thursday, May 14, 2015 11:08 PM
    Thursday, May 14, 2015 10:56 PM
  • In the repro you provided, why are you trying to load the <script> from a remote location? As per the documentation: https://msdn.microsoft.com/en-us/library/windows/apps/hh465373(v=VS.85).aspx

    If you want to access "remote" content, you should really be using/loading the map from the "web context". It seems that you are trying to implement the Google Maps functionality as discussed here: http://www.creepyed.com/2012/11/how-to-use-the-google-maps-api-on-windows-8/

    That approach is fine and it will work ONLY if you were to put the contents of your current default.html into a different file (map.html as per that article) and then load map.html from an <iframe> inside default.html.

    When you do that, default.html will be able to load the <iframe> because it is local to the app, and then the iframe HTML itself can reference the remote location (because from the MSDN link above), the Web Context can reference the remote locations.

    Hope it helps.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Thursday, May 14, 2015 11:55 PM
    Moderator
  • Or...alternately...here's what you could do without splitting the default.html or the iframe concept...

    1.) In your package.appxmanifest file, point your StartPage to: ms-appx-web:///index.html.

    2.) Doing this will cause your app package to point to the start page in the "web" context

    3.) Then add the following lines to the manifest file:

    <uap:ApplicationContentUriRules>
      <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="allowForWebOnly"/>
    </uap:ApplicationContentUriRules>

    If you don't do this, then you can't reference the Windows Runtime (default.js references Windows.ApplicationModel.Activation)

    And then you should be able to load the map successfully from the web context....


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    • Marked as answer by PS429 Friday, May 15, 2015 6:25 PM
    Friday, May 15, 2015 1:28 AM
    Moderator
  • This does work, but it isn't that clear.  Now you can use the built-in manifest editor and make the following changes:

    Rebuild and run again and it _should_ work.   Mine did.

    Wednesday, August 15, 2018 2:47 PM