javascript - Cordova本地ajax请求报错

Question

我正在尝试从本地主机上的 PHP 脚本检索信息

app.js 在 Cordova 应用程序上:

var url = 'http://localhost:8000/locations';

$.ajax({
   url: url,
      type: 'GET',
      contentType: "application/json",
      async: true,
      dataType: 'jsonp',
      crossDomain: true,
      success: function(resp){
          console.log(resp);
      },
      error: function(err) {}
});

和 php 代码(使用 Laravel 框架)

return Location::all()->toJson();

我有这个错误

Refused to load the script 'http://localhost:8000/locations?callback=jQuery21309354114597663283_1431278135791&_=1431278135792' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Answer 1

您需要将策略添加到您的 Cordova 应用。

http://content-security-policy.com/

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

第二个链接正是你所需要的，文章写得很好我只能引用:

https://apis.google.com/js/plusone.js in the context of this page’s origin. We trust that code, but we can’t expect the browser to figure out on it’s own that code from apis.google.com is awesome, while code from apis.evil.example.com probably isn’t. The browser happily downloads and executes any code a page requests, regardless of source.

Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.