cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian LeRoux...@brian.io>
Subject Re: sysapps runtime cfc passed
Date Wed, 20 Mar 2013 10:46:24 GMT
Ok, picking this up again. At the working group Fil it would be good
to give our feedback on the manifest as it has related to the Cordova
reality.

I really dislike:

- scripts can only be loaded from inside the app package
- no inline scripts, no eval

I really like the idea of killing the whitelist feature..


On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <mmocny@chromium.org> wrote:
> Thanks for the highlights Fil.  Makes for easier reading!
>
>
> On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <fil@adobe.com> wrote:
>
>> Highlights w.r.t. Cordova:
>>
>> 1. Application manifest JSON (yay!) [1]:
>>
>> 2. There is an Application interface now in charge of handling:
>>   - pause/resume/launch/terminate events
>>   - readonly parameters such as install time, origin, parameters, update
>> state (downloading, installing), package size
>>   - methods such as exit, hide, uninstall, update (interesting!)
>>     - related to update, the spec calls for the update firing
>> asynchronously, reporting back progress events to the app. metaaaa
>> 3. App Management interface, which is deemed as a "privileged" API, to get
>> events about the (un)installation of other applications.
>>
>> Interesting "security" conclusions [2]:
>>
>> - scripts can only be loaded from inside the app package
>> - no inline scripts, no eval
>> - "Media (audio and video) can still be loaded from anywhere;" => this
>> should inform our media APIs once we get to the audit and finally
>> determine that the whitelist has no effect on media. This already applies
>> to images on the web.
>> - "Network connections can still be opened anywhere using data-centric
>> APIs like XMLHttpRequest or WebSocket." => implication here is that the
>> whitelist is, really, useless (which has been my opinion always :D )
>>
>> Related, I will be attending the SysApps Face to Face in madrid [3] next
>> month. If anyone from the Cordova community has specific issues that they
>> would like to see addressed, let me know!
>>
>> [1] http://runtime.sysapps.org/#application-manifest
>> [2] http://runtime.sysapps.org/#csp-policy
>> [3] http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda
>>
>> On 3/18/13 9:03 AM, "Giorgio Natili" <g.natili@gnstudio.com> wrote:
>>
>> >It should be followed (I have had a quick look) but it depends what does
>> >it means from a development point of view.
>> >I mean that there is already a roadmap and that this draft should impact a
>> >lot, so is up to the contributors trying to explain us how much effort is
>> >required.
>> >
>> >Giorgio
>> >
>> >On 3/18/13 8:02 AM, "Brian LeRoux" <b@brian.io> wrote:
>> >
>> >>Have a look: http://runtime.sysapps.org/
>> >>
>> >>What do we think?
>> >
>> >
>>
>>

Mime
View raw message