Geek Answers Handbook

How to Set Content Security Policies in Windows Universal Applications

I donโ€™t even know what I need, but in a few days from this MSDN Forum message without answers at all I thought I would have shot at SO.

My problem . I have many applications for Windows 8.1 and Windows Phone 8.1 for HTML / Javascripts that have a small <script> clause in the <head> each html page. I started porting my applications to Windows 10 as one universal Windows application, but I get the following error:

 CSP14312: Resource violated directive 'script-src ms-appx: data: 'unsafe-eval'' in Host Defined Policy: inline script. Resource will be blocked

and, of course, nothing happened ... Did I miss something?

edit: To play, simply create a blank Windows Universal application with VS2015 RC and add

 <script> console.log('hello'); </script>

before closing the title tag

+5
source share
3 answers

Rob has it right, by default you cannot have a built-in script in the ms-appx: /// protocol. This is the default protocol for the application and has a default CSP policy that prevents the script from being embedded.

If you really want to use the inline script, you can go to the content via the ms-appx-web: /// protocol, where there is no default CSP policy.

The only caveat: you do not have access to some features in this protocol.

The only difference that I have above what Rob said is that you most likely want to set a URI rule for application content (ACUR) like this

 <uap:ApplicationContentUriRules> <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="all"/> </uap:ApplicationContentUriRules>

To go to your content, you can set StartPage in the manifest on ms-appx-web: ///default.html

+3
source

I assume this is not your real use case, but overall it depends on the particular script, whether it will work in a local or web context. See Features and Contextual Limitations for an overview. If you can pull the script into a local JS file instead of calling it from the head, I would recommend this instead of messing with application security contexts.

Your console.log example works if it starts from a package (as you noticed), or if it works in a web context. You can force the entire application to start in a web context by changing the start page to ms-appx-web: ///default.html in the manifest.

However, since the application is now in a limited web context, it will not have access to all Windows Runtime. You can open this by adding the following to the "Application" section of the manifest:

 <uap:ApplicationContentUriRules> <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="allowForWebOnly"/> </uap:ApplicationContentUriRules>

You will need to open the manifest in the code editor, and not in the manifest editor, to change this section.

For more information about the error, see Edge Console Errors and Status Codes documentation.

+3
source

Could you solve this problem? I am developing applications and games using the Enyo infrastructure and faced the same problem. I was able to resolve it by entering the lines that I usually entered in the tag in the default.js file in this section:

  if (args.detail.previousExecutionState !== activation.ApplicationExecutionState.terminated) { // TODO: This application has been newly launched. Initialize your application here. initializemyapp(); console.log("starting"); } else { // TODO: This application was suspended and then terminated. // To create a smooth user experience, restore application state here so that it looks like the app never stopped running. }

Maybe a little late, but hope this helps.

+1
source

More articles:


All Articles