; Tue, 3 Mar 2015 06:53:29 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r1663531 [2/12] - in /cordova/site: ./ public/ public/announcements/2013/11/15/ public/announcements/2013/11/22/ public/announcements/2013/12/16/ public/announcements/2014/02/20/ public/announcements/2014/05/23/ public/announcements/2014/08... Date: Tue, 03 Mar 2015 06:53:28 -0000 To: commits@cordova.apache.org From: steven@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20150303065329.B5426AC03BB@hades.apache.org> Modified: cordova/site/public/announcements/2014/05/23/cordova-350.html URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/05/23/cordova-350.html?rev=1663531&r1=1663530&r2=1663531&view=diff ============================================================================== --- cordova/site/public/announcements/2014/05/23/cordova-350.html (original) +++ cordova/site/public/announcements/2014/05/23/cordova-350.html Tue Mar 3 06:53:27 2015 @@ -69,288 +69,485 @@

Posted by: Steve Gill

23 May 2014

We are happy to announce that Apache Cordova 3.5 has been released!

+ +

We are happy to announce that Apache Cordova 3.5 has been released!

Most notable changes include:

Common code between cordova-cli & cordova-plugman has been moved into its own repo named cordova-lib.
Each platform now has a package.json file and has been uploaded to npm. Future updates to the cordova-cli will make use of npm instead of git for loading platforms.
CB-4863 - Drop iOS 5.0 support, and support arm64. New projects are built as a universal binary (64 and 32-bit), and require a minimum deployment target of iOS 6.0.
This is the last release with support for WP7
Added Chrome devtools support for debug builds for amazon-fireos
Common code between cordova-cli & cordova-plugman has been moved into its own repo named cordova-lib.
Each platform now has a package.json file and has been uploaded to npm. Future updates to the cordova-cli will make use of npm instead of git for loading platforms.
CB-4863 - Drop iOS 5.0 support, and support arm64. New projects are built as a universal binary (64 and 32-bit), and require a minimum deployment target of iOS 6.0.
This is the last release with support for WP7
Added Chrome devtools support for debug builds for amazon-fireos

To upgrade: (replace android with the platform you want to update):

npm install -g cordova
 cd my_project
-cordova platform update android
-

+cordova platform update android

For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.

Other changes include: -

Other changes include:

+ +

Whatâs new in Android

+ +

CB-6552 added top level package.json
CB-6491 add CONTRIBUTING.md
CB-6543 Fix cordova/run failure when no custom_rules.xml available
defaults.xml: Add AndroidLaunchMode preference
Add JavaDoc for CordovaResourceApi
CB-6388 Handle binary data correctly in LOAD_URL bridge
CB-6048 Set launchMode=singleTop so tapping app icon does not always restart app
Remove incorrect usage of AlertDialog.Builder.create
Catch uncaught exceptions in from plugins and turn them into error responses.
CB-6047 Fix online sometimes getting in a bad state on page transitions.
Add another convenience overload for CordovaResourceApi.copyResource
Update frameworkâs .classpath to what Eclipse wants it to be.
README.md: android update to android-19.
Fix NPE when POLLING bridge mode is used.
Updating NOTICE to include Square for OkHttp
CB-5398 Apply KitKat content URI fix to all content URIs
CB-5398 Work-around for KitKat content: URLs not rendering in <img> tags
CB-5908 add splashscreen images to template
CB-5395 Make scheme and host (but not path) case-insensitive in whitelist
Ignore multiple onPageFinished() callbacks & onReceivedError due to stopLoading()
Removing addJavascriptInterface support from all Android versions lower than 4.2 due to security vulnerability
CB-4984 Donât create on CordovaActivity name
CB-5917 Add a loadUrlIntoView overload that doesnât recreate plugins.
Use thread pool for load timeout.
CB-5715 For CLI, hide assets/www and res/xml/config.xml by default
CB-5793 ant builds: Rename AndroidManifest during -post-build to avoid Eclipse detecting ant-build/
CB-5889 Make update script find project name instead of using null for CordovaLib
CB-5889 Add a message in the update script about needing to import CordovaLib when using an IDE.

+ +

Whatâs new in iOS

+ +

CB-6638 - Convert CordovaLibTests to XCTests
CB-6579 - CDVWebViewDelegateTests are failing
CB-6580 - CDVWhitelistTests are failing
CB-6578 - Fix CordovaLibTests not building
CB-6553 added top-level package.json file
CB-6491 add CONTRIBUTING.md
CB-6500 - Cordova requires arm64 architecture.
CB-6383 Fix copy-www-build-step.sh when user has macports installed
CB-6327 Allow â.â in plugin feature names (and therefore callback ids)
CB-6287 - Add build script support for arm64
CB-6340 - Adding rebroadcast capabilities to remote notification registration within AppDelegate (closes #94)
CB-6217 iOS simulator targets not consistent across scripts
CB-5286 - Fix warnings when compiled under arm64
CB-4863 - Drop iOS 5.0 support, and support arm64. New projects are built as a universal binary (64 and 32-bit), and require a minimum deployment target of iOS 6.0.
CB-6149 - AppDelegate uses deprecated handleOpenURL
CB-6150 - objc_msgSend causes EXC_BAD_ACCESS with plugins on arm64
CB-5018 - bin/create on iOS should use --arc by default
CB-5943 - Update/remove obsolete items in cordova-ios repo
CB-5395 Make scheme and host (but not path) case-insensitive in whitelist
CB-5991 Fix whitelist path matching for trailing slashes
CB-5967 Fix isTopLevelNavigation not being set correctly in rare cases.
Validate that callback IDs are always well-formed
Removed obsolete .gitmodules
Update Xcode .pbxproj files according to Xcode 5.1 recommendations
Added NSLog notification for beginning backup to iCloud (closes #96)

+ +

Whatâs new in Windows Phone 7 & 8

+ +

Update release-notes, and state that WP7 support is about to disappear
CB-6558 added package.json file for WP8
CB-6491 add CONTRIBUTING.md
CB-6450 added support for local XHR.responseXML getter
CB-6341 donât rely on msbuild being in the path.
applied Sergeyâs SpecificVersion flag fix to the WP7 template also CB-6103
CB-6103 WP8 CordovaDeploy potential build issue
applied CB-6268 backgroundcolor to WP7 also
CB-6268 WP8. Apply BackgroundColor from config.xml
CB-5965 support set responseType, get response
CB-6299 Strip protocol and leading slashes from XHRLOCAL URL
CB-6091 Windows Build fails if application path contains whitespace
CB-6041 createTemplates should install them for VS-2013 as well
CB-5219 weinre disconnects when history.replaceState is used
CB-5951 Added namespace to config.xml
Removed WP7 template ref to non-existent file

+ +

Whatâs new in Windows 8

+ +

CB-6684 [3.5.0rc]Windows8 Splash screen setting breaks the build
CB-6686 [3.5.0rc]Windows8 Build error if path contains whitespace
CB-6557 added package.json to Windows8
CB-6491 add CONTRIBUTING.md
CB-6309 Windows8. Add Splash Screen img support via config.xml preference, CB-6544 SplashScreenBack
Fix for when background-color and/or content-src arenât specified in config.xml
Background color now applied to Windows8 project config during build process.
Fix build/deploy errors when path to project contains spaces
CB-6435 ./VERSION & /template/VERSION updated
Modify execution policy restrictions removal logic. Using PS native cmdlet to remove restrictions.
CB-6397 Windows8 Use the latest version of MSBuild Tools installed to build the app
CB-6256 CB-6266 Add support for domain whitelist and start page settings to Windows8
CB-2970 CB-2953 log unsupported methods and exit with code 1
CB-2978 list-devices not supported on Windows 8
CB-6091 Windows Build fails if application path contains whitespace
CB-6083 Windows8 Use registry to read msbuild tools path
CB-6042 Windows8 Cordova emulate fails if no developer certificate is installed
CB-5951 Added namespace to config.xml
Remove template file after create by name
CB-4533 return error code 2 on fail, CB-5359 get tools version from the registry

+ +

Whatâs new in BlackBerry 10

+ +

CB-6554 updated package.json
CB-6491 add CONTRIBUTING.md
CB-6522 Disallow space in target name
CB-6440 Move config logic to its own module
CB-6398 Support additional commands in blackberry10.json
CB-6440 Switch to grunt as task runner
CB-6440 chmod -x *.bat
CB-6440 Remove scripts/lib dir
CB-6440 Move utils.js from bin to template
CB-6440 Remove +x from .bat files
CB-6440 create - use shelljs rather than custom copy function
CB-6440 Move create.js to lib

Whatâs new in Android

CB-6440 Remove check_reqs.js
CB-6440 Move signing-utils out of bin
CB-6416 Ensure target dictionary exists in properties object
CB-6410 Allow deployment when debug token cannot be generated
CB-6409 Allow detection of devices which have not yet set password
CB-6346 Remove npm warning from README.md
CB-6376 backgroundColor in user.js is missing quotes
CB-6346 - Add node_modules to source control
CB-6326 Fix inconsistency between manually added vs auto-detected emulators
CB-6326 (cordova-blackberry) target-utils.js
CB-6303 Remove titles from non-content web views
CB-6303 Add aria-hidden="true" to controller webview body
CB-6241 Default to prompting for passwords (replace --query with --no-query)
CB-6222 Various updates for the BlackBerry 10 documentation
CB-6058 - Options file removed from output bar. Now in build directory
CB-6021 Add --release to run command
CB-5723 Build script should accept -l param as it does --loglevel
CB-6019 Supply default value of --device to the run script
CB-5660 use enabledelayedexpansion to handle )s in path
CB-5909 Fixed issue where check-reqs skipped checking logic on second pass-through

+ +

Whatâs new in Firefox OS

+ +

CB-5816 Firefox OS - add build script
Remove unused elements from defaults.xml
CB-6555 updated top level package.json file
CB-6491 add CONTRIBUTING.md
CB-5416 Need to auto generate manifest.webapp with appropriate plugin permissions

+ +

Whatâs new in Ubuntu (touch)

+ +

allow inter plugin communication
add .editorconfig
check requirements before build
bin/build: fixes for --nobuild
bin/build: specify framework instead of series for click chroot
bin/build: switch to async shelljs.exec
CB-6559 added top level package.json
CB-6491 add CONTRIBUTING.md

+ +

Whatâs new in Amazon FireOS

CB-6552 added top level package.json
CB-6491 add CONTRIBUTING.md
CB-6543 Fix cordova/run failure when no custom_rules.xml available
defaults.xml: Add AndroidLaunchMode preference
Add JavaDoc for CordovaResourceApi
CB-6388 Handle binary data correctly in LOAD_URL bridge
CB-6048 Set launchMode=singleTop so tapping app icon does not always restart app
Remove incorrect usage of AlertDialog.Builder.create
Catch uncaught exceptions in from plugins and turn them into error responses.
CB-6047 Fix online sometimes getting in a bad state on page transitions.
Add another convenience overload for CordovaResourceApi.copyResource
Update frameworkâs .classpath to what Eclipse wants it to be.
README.md: android update to android-19.
Fix NPE when POLLING bridge mode is used.
Updating NOTICE to include Square for OkHttp
CB-5398 Apply KitKat content URI fix to all content URIs
CB-5398 Work-around for KitKat content: URLs not rendering in <img> tags
CB-5908 add splashscreen images to template
CB-5395 Make scheme and host (but not path) case-insensitive in whitelist
Ignore multiple onPageFinished() callbacks & onReceivedError due to stopLoading()
Removing addJavascriptInterface support from all Android versions lower than 4.2 due to security vulnerability
CB-4984 Donât create on CordovaActivity name
CB-5917 Add a loadUrlIntoView overload that doesnât recreate plugins.
Use thread pool for load timeout.
CB-5715 For CLI, hide assets/www and res/xml/config.xml by default
CB-5793 ant builds: Rename AndroidManifest during -post-build to avoid Eclipse detecting ant-build/
CB-5889 Make update script find project name instead of using null for CordovaLib
CB-5889 Add a message in the update script about needing to import CordovaLib when using an IDE.

- -

Whatâs new in iOS

- -

CB-6638 - Convert CordovaLibTests to XCTests
CB-6579 - CDVWebViewDelegateTests are failing
CB-6580 - CDVWhitelistTests are failing
CB-6578 - Fix CordovaLibTests not building
CB-6553 added top-level package.json file
CB-6491 add CONTRIBUTING.md
CB-6500 - Cordova requires arm64 architecture.
CB-6383 Fix copy-www-build-step.sh when user has macports installed
CB-6327 Allow â.â in plugin feature names (and therefore callback ids)
CB-6287 - Add build script support for arm64
CB-6340 - Adding rebroadcast capabilities to remote notification registration within AppDelegate (closes #94)
CB-6217 iOS simulator targets not consistent across scripts
CB-5286 - Fix warnings when compiled under arm64
CB-4863 - Drop iOS 5.0 support, and support arm64. New projects are built as a universal binary (64 and 32-bit), and require a minimum deployment target of iOS 6.0.
CB-6149 - AppDelegate uses deprecated handleOpenURL
CB-6150 - objc_msgSend causes EXC_BAD_ACCESS with plugins on arm64
CB-5018 - bin/create on iOS should use --arc by default
CB-5943 - Update/remove obsolete items in cordova-ios repo
CB-5395 Make scheme and host (but not path) case-insensitive in whitelist
CB-5991 Fix whitelist path matching for trailing slashes
CB-5967 Fix isTopLevelNavigation not being set correctly in rare cases.
Validate that callback IDs are always well-formed
Removed obsolete .gitmodules
Update Xcode .pbxproj files according to Xcode 5.1 recommendations
Added NSLog notification for beginning backup to iCloud (closes #96)

- -

Whatâs new in Windows Phone 7 & 8

- -

Update release-notes, and state that WP7 support is about to disappear
CB-6558 added package.json file for WP8
CB-6491 add CONTRIBUTING.md
CB-6450 added support for local XHR.responseXML getter
CB-6341 donât rely on msbuild being in the path.
applied Sergeyâs SpecificVersion flag fix to the WP7 template also CB-6103
CB-6103 WP8 CordovaDeploy potential build issue
applied CB-6268 backgroundcolor to WP7 also
CB-6268 WP8. Apply BackgroundColor from config.xml
CB-5965 support set responseType, get response
CB-6299 Strip protocol and leading slashes from XHRLOCAL URL
CB-6091 Windows Build fails if application path contains whitespace
CB-6041 createTemplates should install them for VS-2013 as well
CB-5219 weinre disconnects when history.replaceState is used
CB-5951 Added namespace to config.xml
Removed WP7 template ref to non-existent file

- -

Whatâs new in Windows 8

- -

CB-6684 [3.5.0rc]Windows8 Splash screen setting breaks the build
CB-6686 [3.5.0rc]Windows8 Build error if path contains whitespace
CB-6557 added package.json to Windows8
CB-6491 add CONTRIBUTING.md
CB-6309 Windows8. Add Splash Screen img support via config.xml preference, CB-6544 SplashScreenBack
Fix for when background-color and/or content-src arenât specified in config.xml
Background color now applied to Windows8 project config during build process.
Fix build/deploy errors when path to project contains spaces
CB-6435 ./VERSION & /template/VERSION updated
Modify execution policy restrictions removal logic. Using PS native cmdlet to remove restrictions.
CB-6397 Windows8 Use the latest version of MSBuild Tools installed to build the app
CB-6256 CB-6266 Add support for domain whitelist and start page settings to Windows8
CB-2970 CB-2953 log unsupported methods and exit with code 1
CB-2978 list-devices not supported on Windows 8
CB-6091 Windows Build fails if application path contains whitespace
CB-6083 Windows8 Use registry to read msbuild tools path
CB-6042 Windows8 Cordova emulate fails if no developer certificate is installed
CB-5951 Added namespace to config.xml
Remove template file after create by name
CB-4533 return error code 2 on fail, CB-5359 get tools version from the registry

- -

Whatâs new in BlackBerry 10

- -

CB-6554 updated package.json
CB-6491 add CONTRIBUTING.md
CB-6522 Disallow space in target name
CB-6440 Move config logic to its own module
CB-6398 Support additional commands in blackberry10.json
CB-6440 Switch to grunt as task runner
CB-6440 chmod -x *.bat
CB-6440 Remove scripts/lib dir
CB-6440 Move utils.js from bin to template
CB-6440 Remove +x from .bat files
CB-6440 create - use shelljs rather than custom copy function
CB-6440 Move create.js to lib
CB-6440 Remove check_reqs.js
CB-6440 Move signing-utils out of bin
CB-6416 Ensure target dictionary exists in properties object
CB-6410 Allow deployment when debug token cannot be generated
CB-6409 Allow detection of devices which have not yet set password
CB-6346 Remove npm warning from README.md
CB-6376 backgroundColor in user.js is missing quotes
CB-6346 - Add node_modules to source control
CB-6326 Fix inconsistency between manually added vs auto-detected emulators
CB-6326 (cordova-blackberry) target-utils.js
CB-6303 Remove titles from non-content web views
CB-6303 Add aria-hidden="true" to controller webview body
CB-6241 Default to prompting for passwords (replace --query with --no-query)
CB-6222 Various updates for the BlackBerry 10 documentation
CB-6058 - Options file removed from output bar. Now in build directory
CB-6021 Add --release to run command
CB-5723 Build script should accept -l param as it does --loglevel
CB-6019 Supply default value of --device to the run script
CB-5660 use enabledelayedexpansion to handle )s in path
CB-5909 Fixed issue where check-reqs skipped checking logic on second pass-through

- -

Whatâs new in Firefox OS

- -

CB-5816 Firefox OS - add build script
Remove unused elements from defaults.xml
CB-6555 updated top level package.json file
CB-6491 add CONTRIBUTING.md
CB-5416 Need to auto generate manifest.webapp with appropriate plugin permissions

- -

Whatâs new in Ubuntu (touch)

- -

allow inter plugin communication
add .editorconfig
check requirements before build
bin/build: fixes for --nobuild
bin/build: specify framework instead of series for click chroot
bin/build: switch to async shelljs.exec
CB-6559 added top level package.json
CB-6491 add CONTRIBUTING.md

- -

Whatâs new in Amazon FireOS

- -

CB-6644 Add a check for webview being null in template code. Added a check and some comments to guide devs.
CB-6487 Fixed WebView not found in Chrome remote debugging
CB-6636 Need to destroy webview properly. Added destroy() call in webviewâs handleDestroy() method.
CB-6491 add CONTRIBUTING.md
CB-6543 Fix cordova/run failure when no custom_rules.xml available
defaults.xml: Add AndroidLaunchMode preference
Add JavaDoc for CordovaResourceApi
Updated log statement - android=>amazon-fireos.
Added Amazon xmlns to projectâs template AndroidManifest.xml.
CB-6392 Adding amazon-fireos platform fails with not so good error reporting
CB-6556 added top level package.json file
Adding a safety check to prevent applications from calling init twice Changes to address thread safety concerns in Cordova plugin management
CB-6388 Handle binary data correctly in LOAD_URL bridge
CB-6048 Set launchMode=singleTop so tapping app icon does not always restart app
Fixing back button issue by utilizing onBackPressed instead of onKeyUp
CB-5744 Unable to build Hello World application for Kindle Fire HDX tablet using Cordova 3.3.0
Added overloaded constructor for CordovaWebView with Bundle as parameter.
Catch uncaught exceptions in from plugins and turn them into error responses.
CB-6047 Fix online sometimes getting in a bad state on page transitions.
Add another convenience overload for CordovaResourceApi.copyResource
Update frameworkâs .classpath to what Eclipse wants it to be.
Updated Android target to android-19.
README.md: android update to android-19.
Fix NPE when POLLING bridge mode is used.
Updating NOTICE to include Square for OkHttp

- -

Whatâs new in Cordova-CLI

- -

CB-5941 Update link to hooks-README.md file from README.md
Fix cordova help command
Fixing failing CLI tests by removing âexperimentalâ key
CB-6649 Removing experimental flag from positional arguments
CB-6648 Adding a flag for experimental features
Fix require paths to use cordova-lib
Update package.json to use cordova-lib
Split out cordova-lib: move cordova-cli files
Windows8 re-added BOM : CB-5421 Add BOM to all html, js, css files to ensure app can pass Windows Store Certification
CB-6491 add CONTRIBUTING.md
android-parser: Add AndroidLaunchMode preference
Fix CLI tests to work with node v0.11
Update version of jasmine-node. Fixes test warnings util.print with node 0.11
CB-2606 Android icon - do not attempt copy to undefined path
CB-2606 Icons support for iOS, Android, BB10, WP8, Win8, FxOS
CB-6329 Delete unused info-utils.js
CB-6329 improve cordova info command
CB-5847 strictSSL is no longer ignored
CB-6432 pre_package hook does not populate %CORDOVA_PLATFORMS%
Revert âCB-6267 Windows8. Apply BackgroundColor from config.xmlâ
Recreate âplatformsâ dir if it was deleted.
CB-5093 Add versionCode and CFBundleVersion during prepare
CB-6312 Use landscape instead of userLandscape in AndroidManifest.xml
CB-6421 Move tests from e2e to spec - cli test
CB-6377 superspawn: always wrap non .exe with spaces to cmd with /s /c

- -

Whatâs new in Cordova-Plugman

- -

Update plugman cli to use cordova-lib
Split out cordova-lib: move cordova-plugman files

- -

Plugin versions tested with this release

- -

cordova-plugin-battery-status: 0.2.8
cordova-plugin-camera: 0.2.9
cordova-plugin-console: 0.2.8
cordova-plugin-contacts: 0.2.10
cordova-plugin-device: 0.2.9
cordova-plugin-device-motion: 0.2.7
cordova-plugin-device-orientation: 0.3.6
cordova-plugin-dialogs: 0.2.6
cordova-plugin-file: 1.1.0
cordova-plugin-file-transfer: 0.4.3
cordova-plugin-geolocation: 0.3.7
cordova-plugin-globalization: 0.2.7
cordova-plugin-inappbrowser: 0.4.0
cordova-plugin-media: 0.2.10
cordova-plugin-media-capture: 0.3.0
cordova-plugin-network-information: 0.2.8
cordova-plugin-splashscreen: 0.3.0
cordova-plugin-statusbar: 0.1.3
cordova-plugin-vibration: 0.3.8
CB-6644 Add a check for webview being null in template code. Added a check and some comments to guide devs.
CB-6487 Fixed WebView not found in Chrome remote debugging
CB-6636 Need to destroy webview properly. Added destroy() call in webviewâs handleDestroy() method.
CB-6491 add CONTRIBUTING.md
CB-6543 Fix cordova/run failure when no custom_rules.xml available
defaults.xml: Add AndroidLaunchMode preference
Add JavaDoc for CordovaResourceApi
Updated log statement - android=>amazon-fireos.
Added Amazon xmlns to projectâs template AndroidManifest.xml.
CB-6392 Adding amazon-fireos platform fails with not so good error reporting
CB-6556 added top level package.json file
Adding a safety check to prevent applications from calling init twice Changes to address thread safety concerns in Cordova plugin management
CB-6388 Handle binary data correctly in LOAD_URL bridge
CB-6048 Set launchMode=singleTop so tapping app icon does not always restart app
Fixing back button issue by utilizing onBackPressed instead of onKeyUp
CB-5744 Unable to build Hello World application for Kindle Fire HDX tablet using Cordova 3.3.0
Added overloaded constructor for CordovaWebView with Bundle as parameter.
Catch uncaught exceptions in from plugins and turn them into error responses.
CB-6047 Fix online sometimes getting in a bad state on page transitions.
Add another convenience overload for CordovaResourceApi.copyResource
Update frameworkâs .classpath to what Eclipse wants it to be.
Updated Android target to android-19.
README.md: android update to android-19.
Fix NPE when POLLING bridge mode is used.
Updating NOTICE to include Square for OkHttp

+ +

Whatâs new in Cordova-CLI

+ +

CB-5941 Update link to hooks-README.md file from README.md
Fix cordova help command
Fixing failing CLI tests by removing âexperimentalâ key
CB-6649 Removing experimental flag from positional arguments
CB-6648 Adding a flag for experimental features
Fix require paths to use cordova-lib
Update package.json to use cordova-lib
Split out cordova-lib: move cordova-cli files
Windows8 re-added BOM : CB-5421 Add BOM to all html, js, css files to ensure app can pass Windows Store Certification
CB-6491 add CONTRIBUTING.md
android-parser: Add AndroidLaunchMode preference
Fix CLI tests to work with node v0.11
Update version of jasmine-node. Fixes test warnings util.print with node 0.11
CB-2606 Android icon - do not attempt copy to undefined path
CB-2606 Icons support for iOS, Android, BB10, WP8, Win8, FxOS
CB-6329 Delete unused info-utils.js
CB-6329 improve cordova info command
CB-5847 strictSSL is no longer ignored
CB-6432 pre_package hook does not populate %CORDOVA_PLATFORMS%
Revert âCB-6267 Windows8. Apply BackgroundColor from config.xmlâ
Recreate âplatformsâ dir if it was deleted.
CB-5093 Add versionCode and CFBundleVersion during prepare
CB-6312 Use landscape instead of userLandscape in AndroidManifest.xml
CB-6421 Move tests from e2e to spec - cli test
CB-6377 superspawn: always wrap non .exe with spaces to cmd with /s /c

+ +

Whatâs new in Cordova-Plugman

+ +

Update plugman cli to use cordova-lib
Split out cordova-lib: move cordova-plugman files

+ +

Plugin versions tested with this release

+ +

cordova-plugin-battery-status: 0.2.8
cordova-plugin-camera: 0.2.9
cordova-plugin-console: 0.2.8
cordova-plugin-contacts: 0.2.10
cordova-plugin-device: 0.2.9
cordova-plugin-device-motion: 0.2.7
cordova-plugin-device-orientation: 0.3.6
cordova-plugin-dialogs: 0.2.6
cordova-plugin-file: 1.1.0
cordova-plugin-file-transfer: 0.4.3
cordova-plugin-geolocation: 0.3.7
cordova-plugin-globalization: 0.2.7
cordova-plugin-inappbrowser: 0.4.0
cordova-plugin-media: 0.2.10
cordova-plugin-media-capture: 0.3.0
cordova-plugin-network-information: 0.2.8
cordova-plugin-splashscreen: 0.3.0
cordova-plugin-statusbar: 0.1.3
cordova-plugin-vibration: 0.3.8

Modified: cordova/site/public/announcements/2014/08/04/android-351.html URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/04/android-351.html?rev=1663531&r1=1663530&r2=1663531&view=diff ============================================================================== --- cordova/site/public/announcements/2014/08/04/android-351.html (original) +++ cordova/site/public/announcements/2014/08/04/android-351.html Tue Mar 3 06:53:27 2015 @@ -69,166 +69,88 @@

Posted by: Marcel Kinard

04 Aug 2014

Updated: 2014-08-06 -(The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)

+ +

Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:

cordova platform add android@3.5.1 --usenpm
-

cordova platform add android@3.5.1 --usenpm

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.

- - - -

- +

CVE-2014-3500: Cordova cross-application scripting via Android intent URLs

Severity: High

Vendor: -The Apache Software Foundation

Vendor: The Apache Software Foundation

Versions Affected: -Cordova Android versions up to 3.5.0

Versions Affected: Cordova Android versions up to 3.5.0

Description: -Android applications built with the Cordova framework can be launched through -a special intent URL. A specially-crafted URL could cause the Cordova-based -application to start up with a different start page than the developer -intended, including other HTML content stored on the Android device. This has -been the case in all released versions of Cordova up to 3.5.0, and has been -fixed in the latest release (3.5.1). We recommend affected projects update -their applications to the latest release.

- -

Upgrade path: -Developers who are concerned about this should rebuild their applications with -Cordova Android 3.5.1.

Description: Android applications built with the Cordova framework can be launched through a special intent URL. A specially-crafted URL could cause the Cordova-based application to start up with a different start page than the developer intended, including other HTML content stored on the Android device. This has been the case in all released versions of Cordova up to 3.5.0, and has been fixed in the latest release (3.5.1). We recommend affected projects update their applications to the latest release.

Credit: -This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs

Severity: Medium

Vendor: -The Apache Software Foundation

Vendor: The Apache Software Foundation

Versions Affected: -All released Cordova Android versions

Versions Affected: All released Cordova Android versions

Description: -Android applications built with the Cordova framework use a WebView component -to display content. Cordova applications can specify a whitelist of URLs which -the application will be allowed to display, or to communicate with via -XMLHttpRequest. This whitelist, however, is not used by the WebView component -when it is directed via JavaScript to communicate over non-http channels.

- -

Specifically, it can be possible to open a WebSocket connection from the -application JavaScript which will connect to any reachable server on the -Internet. If an attacker is able to execute arbitrary JavaScript within the -application, then that attacker can cause a connection to be opened to any -server, bypassing the HTTP whitelist.

- -

This is a limitation of the hybrid app architecture on Android in general, and -not specific to Apache Cordova.

- -

It is possible to mitigate this attack vector by adding a CSP meta tag to all -HTML pages in the application, to allow connections only to trusted sources. -App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk -of XAS attacks against their applications, which could then use this mechanism -to reach unintended servers. See CVE-2014-3500 for more information on a -possible XAS vulnerability.

- -

Upgrade path: -Developers who are concerned about this should rebuild their applications with -Cordova Android 3.5.1, and consider adding CSP meta tags to their application -HTML.

Description: Android applications built with the Cordova framework use a WebView component to display content. Cordova applications can specify a whitelist of URLs which the application will be allowed to display, or to communicate with via XMLHttpRequest. This whitelist, however, is not used by the WebView component when it is directed via JavaScript to communicate over non-http channels.

Credit: -This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Specifically, it can be possible to open a WebSocket connection from the application JavaScript which will connect to any reachable server on the Internet. If an attacker is able to execute arbitrary JavaScript within the application, then that attacker can cause a connection to be opened to any server, bypassing the HTTP whitelist.

This is a limitation of the hybrid app architecture on Android in general, and not specific to Apache Cordova.

+ +

It is possible to mitigate this attack vector by adding a CSP meta tag to all HTML pages in the application, to allow connections only to trusted sources. App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk of XAS attacks against their applications, which could then use this mechanism to reach unintended servers. See CVE-2014-3500 for more information on a possible XAS vulnerability.

CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL -loading

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1, and consider adding CSP meta tags to their application HTML.

+ +

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading

Severity: Medium

Vendor: -The Apache Software Foundation

Vendor: The Apache Software Foundation

+ +

Versions Affected: Cordova Android versions up to 3.5.0

+ +

Description: Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network.

Versions Affected: -Cordova Android versions up to 3.5.0

The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.

Description: -Android applications built with the Cordova framework can launch other -applications through the use of anchor tags, or by redirecting the webview to -an Android intent URL. An attacker who can manipulate the HTML content of a -Cordova application can create links which open other applications and send -arbitrary data to those applications. An attacker who can run arbitrary -JavaScript code within the context of the Cordova application can also set the -document location to such a URL. By using this in concert with a second, -vulnerable application, an attacker might be able to use this method to send -data from the Cordova application to the network.

- -

The latest release of Cordova Android takes steps to block explicit Android -intent urls, so that they can no longer be used to start arbitrary applications -on the device.

- -

Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ -can still be used to open external applications by default, but this behaviour -can be overridden by plugins.

- -

Upgrade path: -Developers who are concerned about this should rebuild their applications with -Cordova Android 3.5.1.

Implicit intents, including URLs with schemes such as âtelâ, âgeoâ, and âsmsâ can still be used to open external applications by default, but this behaviour can be overridden by plugins.

Credit: -This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

+ +

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

(This notice originally read as follows:)

CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android -intent URLs

CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs

Severity: Medium

Vendor: -The Apache Software Foundation

Vendor: The Apache Software Foundation

+ +

Versions Affected: Cordova Android versions up to 3.5.0

+ +

Versions Affected: -Cordova Android versions up to 3.5.0

The latest release of Cordova Android takes steps to block explicit Android intent urls, so that they can no longer be used to start arbitrary applications on the device.

- -

The latest release of Cordova Android takes steps to block explicit Android -intent urls, so that they can no longer be used to start arbitrary applications -on the device.

- -

Upgrade path: -Developers who are concerned about this should rebuild their applications with -Cordova Android 3.5.1.

Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 3.5.1.

Credit: -This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Modified: cordova/site/public/announcements/2014/08/06/android-351-update.html URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/06/android-351-update.html?rev=1663531&r1=1663530&r2=1663531&view=diff ============================================================================== --- cordova/site/public/announcements/2014/08/06/android-351-update.html (original) +++ cordova/site/public/announcements/2014/08/06/android-351-update.html Tue Mar 3 06:53:27 2015 @@ -69,20 +69,18 @@

Posted by: Ian Clelland

06 Aug 2014

On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasnât quite right, so weâve amended it.

+ +

You can read the amended blog post here.

The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldnât load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to âphone homeâ with the userâs data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.

- -

In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like sms:, mailto:, or geo: in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.

As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like

cordova plugin add net.iclelland.external-app-block
-

cordova plugin add net.iclelland.external-app-block

or feel free to clone it from GitHub and tweak it to suit your needs.

--------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org For additional commands, e-mail: commits-help@cordova.apache.org

Whatâs new in Android

Whatâs new in iOS

Whatâs new in Windows Phone 7 & 8

Whatâs new in Windows 8

Whatâs new in BlackBerry 10

Whatâs new in Android

Whatâs new in Firefox OS

Whatâs new in Ubuntu (touch)

Whatâs new in Amazon FireOS

Whatâs new in iOS

Whatâs new in Windows Phone 7 & 8

Whatâs new in Windows 8

Whatâs new in BlackBerry 10

Whatâs new in Firefox OS

Whatâs new in Ubuntu (touch)

Whatâs new in Amazon FireOS

Whatâs new in Cordova-CLI

Whatâs new in Cordova-Plugman

Plugin versions tested with this release

Whatâs new in Cordova-CLI

Whatâs new in Cordova-Plugman

Plugin versions tested with this release

Whatâs new in Android

Whatâs new in iOS

Whatâs new in Windows Phone 7 & 8

Whatâs new in Windows 8

Whatâs new in BlackBerry 10

Whatâs new in Android

Whatâs new in Firefox OS

Whatâs new in Ubuntu (touch)

Whatâs new in Amazon FireOS

Whatâs new in iOS

Whatâs new in Windows Phone 7 & 8

Whatâs new in Windows 8

Whatâs new in BlackBerry 10

Whatâs new in Firefox OS

Whatâs new in Ubuntu (touch)

Whatâs new in Amazon FireOS

Whatâs new in Cordova-CLI

Whatâs new in Cordova-Plugman

Whatâs new in Cordova-CLI

Whatâs new in Cordova-Plugman