2 Replies Latest reply on Oct 3, 2016 1:45 AM by sfelaco.neg

    Phonegap with PDFjs securtiy policy error

    sfelaco.neg Level 1

      I'm working with Adobe PhoneGap 6.3.3, I'm trying to display a PDF in a hybrid android app with PFDjs. In browser the pdf is diplayed, insted from mobile with PhoneGap App Develover it doesn't work. In console I have this message:


      Content Security Policy has been modified to be: <meta
       http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: 'un
      safe-inline' https://ssl.gstatic.com * ws:;style-src 'self' 'unsafe-inline' data
      : blob:;media-src *;script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;">



      I read the pdf from internet with following code:

        var url = 'http://www.example.com/foo.pdf';
        getBinaryData(url); //call this fn on page load 
         var callGetDocument = function (response) {
         // body...
        PDFJS.getDocument(response).then(function getPdfHelloWorld(_pdfDoc) {
        console.log('File caricato');
        pdfFile = _pdfDoc;
        openPage(pdfFile, currPageNumber, 1);
         var getBinaryData = function (url) {
         // body...
         var xhr = new XMLHttpRequest();
        xhr.open('GET', url, true);
        xhr.responseType = 'arraybuffer';
        xhr.onload = function(e) {
         //binary form of ajax response,
        xhr.onerror = function  () {
         // body...
        console.log("xhr error");


      I still insert <allow-navigation href="http://*/*" />in config.xml. Can you help me please.

        • 1. Re: Phonegap with PDFjs securtiy policy error
          kerrishotts Adobe Employee

          Since you're using the Developer App, that complicates things a bit, since it isn't a perfect representation of what your app will really do when built on its own. So you might want to do that first.


          I would also:


          • Ensure that your domain is added to your CSP (content-security-policy) meta tag. If you don't have one, get one. Learn more at the whitelist docs in the next point.
          • When you build your app, ensure that the domain is added appropriately to the whitelist (<access origin=... />). Read the docs: cordova-plugin-whitelist - Apache Cordova
          • Log more useful information in your xhr.onerror method.
          • Investigate the browser's debugging console (Using Chrome for Android or Safari for iOS), which may also indicate useful information. Note: You can't do this with the PG Dev app. You'll have to build your app via the CLI or PGB, /OR/ use Weinre (but it isn't quite the same as using the browser's debugger.)
          • 2. Re: Phonegap with PDFjs securtiy policy error
            sfelaco.neg Level 1

            Thanks kerrishot, I created a "dummy" CSP from Content Security Policy Header Generator.

            I inserted in my index.xhtml a meta tag below (it's just narrowly goes Improved):

            <meta http-equiv="Content-Security-Policy"
              content="default-src *; script-src 'self' 'unsafe-inline'; object-src *; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src *; frame-src *; connect-src *" />