Skip to content Skip to sidebar Skip to footer
Home / Javascript / Win Universal App / Windows 10

How To Set Content Security Policy In Windows Universal Apps

Post a Comment
I don't even know if that's what I need, but after several days of this MSDN Forum post with no answers at all I thought I'd give a shot in SO. My problem: I have many Windows 8.1

Solution 1:

Rob has it right, by default you can't have inline script in ms-appx:/// protocol. This is the default protocol for an application and has a default CSP policy that doesn't allow inline script.

If you really wish to use inline script you can navigate to the content via ms-appx-web:/// protocol where there is no default CSP policy.

The one note is that you do not have access to some capabilities in this protocol.

The only difference I have beyond what Rob said is that you most likely want to set the Application Content URI Rule (ACUR) like this

<uap:ApplicationContentUriRules>
   <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="all"/>
</uap:ApplicationContentUriRules>

To navigate to your content you can set the StartPage in the manifest to ms-appx-web:///default.html


Solution 2:

I assume that's not your real use case, but overall it depends on the specific script whether it will work in the local or web context. See Features and restrictions by context for an overview. If you can pull the script into a local JS file instead of calling it from the head then I would recommend that rather than fiddling with the app's security contexts.

Your console.log example works if it runs from the package (as you note) or if it runs in the web context. You can force the entire app to run in the web context by changing the start page to ms-appx-web:///default.html in the manifest.

However, since the app's now in the restricted web context it won't have access to all of the Windows Runtime. You can open that up by adding the following to the Application section in your manifest:

<uap:ApplicationContentUriRules>
   <uap:Rule Type="include" Match ="ms-appx-web:///" WindowsRuntimeAccess="allowForWebOnly"/>
</uap:ApplicationContentUriRules>

You'll need to open the manifest in a code editor rather than in the manifest editor to modify this section.

For more on the error see the Edge Console error and status codes documentation


Solution 3:

Were you able to resolve this issue? I do apps and game development using the Enyo framework and encountered the same issue. I was able to resolve it by entering the lines that I normally enter on the tag on the default.js file on this section:

        if (args.detail.previousExecutionState !== activation.ApplicationExecutionState.terminated) {
            // TODO: This application has been newly launched. Initialize your application here.
            initializemyapp();
            console.log("starting");
        } else {
            // TODO: This application was suspended and then terminated.
            // To create a smooth user experience, restore application state here so that it looks like the app never stopped running.
        }

Maybe it is a little to late, but hope this helps.


You may like these posts

Post a Comment for "How To Set Content Security Policy In Windows Universal Apps"