cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mmo...@apache.org
Subject cordova-plugins git commit: Update whitelist plugin readme
Date Wed, 04 Mar 2015 17:25:27 GMT
Repository: cordova-plugins
Updated Branches:
  refs/heads/master e960919bc -> 03de74861


Update whitelist plugin readme


Project: http://git-wip-us.apache.org/repos/asf/cordova-plugins/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugins/commit/03de7486
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugins/tree/03de7486
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugins/diff/03de7486

Branch: refs/heads/master
Commit: 03de74861052bafb59634674a7c88e29ad532ed6
Parents: e960919
Author: Michal Mocny <mmocny@gmail.com>
Authored: Wed Mar 4 12:25:19 2015 -0500
Committer: Michal Mocny <mmocny@gmail.com>
Committed: Wed Mar 4 12:25:19 2015 -0500

----------------------------------------------------------------------
 url-policy/README.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/03de7486/url-policy/README.md
----------------------------------------------------------------------
diff --git a/url-policy/README.md b/url-policy/README.md
index 5856a15..2a2759b 100644
--- a/url-policy/README.md
+++ b/url-policy/README.md
@@ -63,11 +63,9 @@ In `config.xml`, add `<allow-intent>` tags, like this:
     <allow-intent href="*" />
 
 ## Network Request Whitelist
-Controls which network requests (images, XHRs, etc) are allowed to be made.
+Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native
hooks).
 
-Note: Please use a Content Security Policy (see below) instead (or also), since it is more
secure.  This whitelist is mostly historical for webviews which do not support CSP.
-
-By default, only requests to `file://` URLs are allowed.
+Note: We suggest you use a Content Security Policy (see below), which is more secure.  This
whitelist is mostly historical for webviews which do not support CSP.
 
 In `config.xml`, add `<access>` tags, like this:
 
@@ -87,13 +85,14 @@ In `config.xml`, add `<access>` tags, like this:
     <!-- Don't block any requests -->
     <access origin="*" />
 
+Without any `<access>` tags, only requests to `file://` URLs are allowed. However,
the default cordova application should include `<access origin="*">` by default.
+
 ### Content Security Policy
-On Android and iOS, the network whitelist is not able to filter all types of requests (e.g.
-`<video>` & WebSockets are not blocked). So, in addition to the whitelist,
-you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>`
tag
-on all of your pages.
+Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
+
+On Android and iOS, the network request whitelist (see above) is not able to filter all types
of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the
whitelist, you should use a [Content Security Policy](http://content-security-policy.com/)
`<meta>` tag on all of your pages.
 
-On Android, support for CSP within the system webview starts with KitKat.
+On Android, support for CSP within the system webview starts with KitKat (but is available
on all versions using Crosswalk WebView).
 
 Here are some example CSP declarations for your `.html` pages:
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message