cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nikhi...@apache.org
Subject cordova-plugin-whitelist git commit: Update README.md
Date Mon, 26 Oct 2015 16:04:45 GMT
Repository: cordova-plugin-whitelist
Updated Branches:
  refs/heads/master 695006d5e -> 3903631b3


Update README.md

Update some confusing comments.

see: `Content-Security-Policy Examples` in http://content-security-policy.com/. This closes
#8


Project: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/commit/3903631b
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/tree/3903631b
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/diff/3903631b

Branch: refs/heads/master
Commit: 3903631b3c9a882ee46d79ddf192fb7f4d326b9f
Parents: 695006d
Author: Luo Wen <luowenbiz@gmail.com>
Authored: Wed Jul 22 12:36:06 2015 +0800
Committer: Nikhil Khandelwal <nikhilkh@microsoft.com>
Committed: Mon Oct 26 09:04:17 2015 -0700

----------------------------------------------------------------------
 README.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/blob/3903631b/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index bb46111..63517a0 100644
--- a/README.md
+++ b/README.md
@@ -130,13 +130,16 @@ Here are some example CSP declarations for your `.html` pages:
     -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:
https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
 
-    <!-- Allow requests to foo.com -->
+    <!-- Allow everything but only from the same origin and foo.com -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
 
-    <!-- Enable all requests, inline styles, and eval() -->
+    <!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except
that 
+        * CSS only from the same origin and inline styles,
+        * scripts only from the same origin and inline styles, and eval()
+    -->
     <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
 
-    <!-- Allow XHRs via https only -->
+    <!-- Allows XHRs only over HTTPS on the same domain. -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
 
     <!-- Allow iframe to https://cordova.apache.org/ -->


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org


Mime
View raw message