The default security policy is restrictive for a common case

[vjrantal]

Steps to reproduce:

$ manifoldjs http://www.microsoft.com -p ios
$ cd WwwMicrosoftCom/cordova/
$ cordova run ios

The end result looks something like below:

This happens, because the cross-origin resource access to download CSS files (and other resources) is blocked, which is caused by ManifoldCordova removing the "full access" rules that are created by cordova create by default (see https://github.com/manifoldjs/ManifoldCordova/blob/8e5b457c1e16cfc9c56308c5d1f26e340f48ae62/scripts/updateConfigurationBeforePrepare.js#L139).

The best default security policy would be such that it is as close as possible to the security policy enforced in modern Web browsers and honors related standards like CORS and CSP.