-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not send CSP for Android Browser < 4.4. #82
Conversation
68267a1
to
ffdf129
Compare
I'm going to make sure this is true before I merge (not that I don't trust you!), but before I do:
After you fix that and I give this a test in an Android simulator, I'll merge! Thanks for finding this. |
|
I made a small server that sends some CSP to only resources from the same origin (sets the following headers), and then loads an HTML page to test CSP.
I tried this in the Android Simulator for version 4.0.2, and while it didn't seem to support CSP, it was able to load things: Are we sure that CSP breaks Android <4.4? |
Try setting it up with a fake CDN of sorts. We don't simply have |
Could you find/make a test page that I could try? I made one myself and it doesn't seem to have the issue. |
Place this on hold for a bit. I'm going to set up a basic test app and see if I can't figure out a way to replicate the issue we're having. |
Sounds good! Thanks for your help. |
Because we've moved csp to its own module, the PR now just looks like this: break;
+ case 'Android Browser':
+ break;
+
default: Closing for now; feel free to reopen on the CSP module. |
Android Browser < 4.4 doesn't simply silently fail when CSP headers are sent, as one might expect. It just doesn't load any resources.