Security policy meta tag in AB1


Amin Mousavi

Hi David,

Hope you are doing well.

I have created an app with AB1 that later on we merged with a Cordova app we already had. Now we are migrating the Cordova app to Capacitor. The AB1 part also fit with Capacitor nicely, we only have faced one issue that we could not fix.

How can we set a security policy meta tag in AB1? we need to add a scheme for capacitor, but we get the "unsafe" postfix when adding it manually.

Any thoughts or solutions are greatly appreciated.

Thanks


DecSoft

Hello Amin,

I am not quite sure about the exactly problem that you have, however, trying to help you, what I can say for now is this: AB1 already establish a "Content-Security-Policy" in the "index.html" file of the app. We can change the value of that meta tag at runtime, for example, using the app Start event, with the below line of code:

If I choose the app Start event, is because it's the very first event fired in AB1 apps, however, I am not sure if establishing the value of that meta tag at runtime can works or not in your specific case. So another possibility is to change the value of that meta tag directly from the "index.html" file. You can do it manually (after compile the app) or using some kind of automation if you use some BAT file or program in the App options -> Build.

On the other hand, if what you want or need is to add new meta tags in the "index.html" file of the app, then you can use the App options -> HTML -> Custom metadata option, which allows us to place HTML stuff which will be placed in the "head" section of the "index.html" file of the app. I hope that this information can help you in some manner, Amin.



Amin Mousavi

Thank you very much David for the speedy response. Very helpful as always. We have tried editing the HTML and had no luck. Will try the two other recommendations and hopefully one of them works.


DecSoft

Hello Amin,

My concern is that if you already try by editing the HTML directly, probably the other methods don't work... and why? Well, because the other methods try to avoid the directly editing of the HTML, but, finally what we get is some HTML...

Can I ask what is the exactly problem? Do you try to run the AB1 app inside an IFrame or something like that? And, if so (or in other case) do you get some error message or something like that? I know you mention above some "unsafe" postfix problem, but, I am not sure about what is this exactly.

Anyway, I hope you can get it working as expected!



Amin Mousavi

Hi David,

We have a game that is built by Cordova (Lingolish). Inside that game we have a challenge created by AB1 and as you guessed we open it in an iframe inside Lingolish. These two parts communicate through local storage and are working nicely together. However, we have some performance issues in the Cordova bit since it has become very graphic rich and one of the things that we are trying to improve the overall performance is migrating from Cordova to Capacitor. I am responsible for the AB part, and the guys working on Cordova migration came back to me with this error "unsafe" postfix" and said to fix the issue on Capacitor; they had tried editing the HTML and had no luck and were looking for my input. I searched AB for "security policy" and could not find anything and so bothered you with it.

I am working with them tomorrow to see how we can fix this issue. I will let you know how it proceeds and if we can fix it or if we fail to do so. Thanks a million for your help as always.


DecSoft

Hello Amin,

Maybe you can get more information about the issue. My point is that I am not sure if the content policy (which apply to the app which run inside the IFrame, and not apply in the "parent") has something to say here, just because what I say: the content policy is for the app itself, not for the "parent".

On the other hand, if I search by "unsafe posfix" I can't get relevant results: maybe I am not searching well, but, it's rare to see no results when we search for an error: commonly we get relevant information which can be used to discover a possible solution for the error in question.

So here are some questions... is the AB1 app loading in the IFrame? If yes, then... I do not understand the problem... since probably this is what we wanted... if not... then we must get some kind of error... probably related with the server which serve the AB1 app and not the app itself.

Are you tried to run the AB1 app inside an IFrame to see what happen? Doing this we can see if the problem is in the server of the app: some servers can refuse to load the content inside an IFrame, even when I am not sure if this is the case, we can look into this to see if that is the problem or not.

Maybe the "unsafe posfix" error is related in some manner with Capacitor and my leak of knowledge about Capacitor don't allow me to say something useful: maybe this can be a clue, I mean, maybe we must search about that error talking specifically about Capacitor, to see if it's a Capacitor problem / error.

So try it with all of these, Amin, and, try to get some more information, or to reproduce the problem, in order to see what can be the possible solution. But again... I am not sure about the security policy, which in principle affect to the app itself, not to the "parent" app...

I hope you can finally solve the issue! And please, don't hesitate to post here any further questions!



Amin Mousavi

Hi David,

My colleague has managed to manually update the files and build the work with Capacitor. The "unsafe posfix" error he was getting was the result of a combination of a few other issues that I am explaining below. The parts he has asked me to include in the AB, are below. I am working on two but have no clue about the other two.

As he said, Capacitor does not have "deviceready" event, so he had replaced the event with one of our own to get rid of the error. To be able to continue using the AB UI, I recommended moving the commands we have in "Ready" event to "Start". I am working on this part and am partially successful so far. The only issue I have run into is that I am not able to define the variables we have in "Ready" in "Start". For instance, we have this variable in "Ready", but none of the below works when put in Start.

The other issue is that we need to include "capacitor" in the "imgSrcSanitizationWhitelist" exception list. It has been done manually, but I was wondering, is there any way to include it somewhere in the AB so it is not necessary to update the AB builds.

Thanks a million


DecSoft

Hello Amin,

If you remember, the app Start event of AB1 was added in the past for some capability that you wanted: change the "window.App.Config.DefaultView" variable, or may other "config" variables. Certainly, in this event we can't use any AB1 actions, only Javascript, and, cannot get access to the app variables.

If you do not want to use the "DeviceReady" event, instead of the Start event, maybe you can consider to use the view Show event. You can take the view Show event as a kind of Start event, since it's fired even before the DeviceReady is fired, and in the view Show event you can use AB1 actions, variables, etc.

On the other hand, if you can use "window" variables, then you can certainly use the app Start event, for example, the below code defines a "window" variable in the app Start event:

That kind of variables are possible to be set in the app Start event, and, certainly they are available in other app places, for example, the below code can be in the view Show event:

Talking about the other issue, that is, adding the "capacitor" value into the "imgSrcSanitizationWhitelist", I update AB1 right now in order to add the "capacitor" value into "imgSrcSanitizationWhitelist", so you can upgrade your AB1 copy in order to get it working "as is". I hope this information can help you in some manner, Amin, just post here if you have any further questions.



Amin Mousavi

Hi David,

Thanks a lot. Fixed the issue. Fantastic help and support as always.


DecSoft

Hello Amin,

Thanks a lot. Fixed the issue. Fantastic help and support as always.

Always thank you for your trust, sir!


Todo el mundo puede leer el foro de soporte de DecSoft para aprender del mismo, sin embargo, sólo los clientes de DecSoft pueden abrir nuevos hilos. Compre una o más licencias de productos de DecSoft y obtendrá este y otros beneficios.

Este sitio utiliza "cookies" útiles para almacenar sus preferencias.

Bien. Ocultar esta nota. Obtener más información.