cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From agri...@apache.org
Subject cordova-app-hello-world git commit: Add unsafe-eval to default CSP since many frameworks run faster with it on
Date Fri, 13 Mar 2015 16:51:43 GMT
Repository: cordova-app-hello-world
Updated Branches:
  refs/heads/master 15cefa232 -> 5a7b7ae59


Add unsafe-eval to default CSP since many frameworks run faster with it on


Project: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/commit/5a7b7ae5
Tree: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/tree/5a7b7ae5
Diff: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/diff/5a7b7ae5

Branch: refs/heads/master
Commit: 5a7b7ae597a3a33916b3afdbd9b69cc60a8a00e2
Parents: 15cefa2
Author: Andrew Grieve <agrieve@chromium.org>
Authored: Fri Mar 13 12:51:13 2015 -0400
Committer: Andrew Grieve <agrieve@chromium.org>
Committed: Fri Mar 13 12:51:40 2015 -0400

----------------------------------------------------------------------
 www/index.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/blob/5a7b7ae5/www/index.html
----------------------------------------------------------------------
diff --git a/www/index.html b/www/index.html
index 10dbeb6..646f9cb 100644
--- a/www/index.html
+++ b/www/index.html
@@ -25,11 +25,10 @@
         Some notes:
             * gap: is required only on iOS (when using UIWebView) and is needed for JS->native
communication
             * https://ssl.gstatic.com is required only on Android and is needed for TalkBack
to function properly
-            * Disables use of eval() and inline scripts in order to mitigate risk of XSS
vulnerabilities. To change this:
+            * Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities.
To change this:
                 * Enable inline JS: add 'unsafe-inline' to default-src
-                * Enable eval(): add 'unsafe-eval' to default-src
         -->
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:
https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
+        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:
https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
         <meta name="format-detection" content="telephone=no">
         <meta name="msapplication-tap-highlight" content="no">
         <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1,
minimum-scale=1, width=device-width">


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message