Failed xhr.open gives BadUrl, but may be caused by security restrictions

[StefanLiebig]

I wrote a little Elm (0.18.0) app that plays with the giphy.com api. It works within the browser. But while moving it to cordova (android) I received the message "badUrl: ..." for a good url.
I inserted in https://github.com/elm-lang/http/blob/master/src/Native/Http.js at
try { xhr.open(request.method, request.url, true); } catch (e) { return callback(_elm_lang$core$Native_Scheduler.fail({ ctor: 'BadUrl', _0: request.url })); }
an alert( e );
This unveiled the real cause. In my case it was a problem with the "Content Security Police".

I think "badUrl" is too generic and can be misleading. Is there any good way to incorporate the "real" cause?

[process-bot]

Thanks for the issue! Make sure it satisfies this checklist. My human colleagues will appreciate it!

Here is what to expect next, and if anyone wants to comment, keep these things in mind.

[evancz]

Can you say more about exactly what the error you saw was? To capture it and state it explicitly, I must be able to reproduce it.

[StefanLiebig]

Yes, the alert shows:

It is a screen shot from the android emulator. It also occurs on the device.

For reproducing it you have to install cordova (https://cordova.apache.org/#getstarted) and add the android platform.
Then I tweaked the example app (https://cordova.apache.org/docs/en/latest/guide/cli/index.html) such that the example www/js/index.js embeds the JavaScript code of my Elm app.
The content security policy element within the index.html is
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
I hope this helps.