cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian LeRoux...@brian.io>
Subject Re: sysapps runtime cfc passed
Date Thu, 21 Mar 2013 19:06:48 GMT
While I respect the benefits I really doubt we can get rid of eval and
inline scripts ever. Thats the nature of the web.

Subsequent efforts that forget this facet of the web and pretend to
fix the issue have thus far tended to fail. In any case, we are unable
to fix this issue unless we start shipping a browser, which we're not
going to do anytime soon if ever at all.


On Wed, Mar 20, 2013 at 2:23 PM, Filip Maj <fil@adobe.com> wrote:
> Ah thanks for clarifying
>
> On 3/20/13 2:17 PM, "Andrew Lunny" <alunny@gmail.com> wrote:
>
>>On 20 March 2013 13:54, Filip Maj <fil@adobe.com> wrote:
>>
>>> Actually dude talks about CSP 1.1 supporting whitelisting of inline
>>> scripts ?
>>>
>>
>>The relevant bit in the CSP spec is:
>>http://www.w3.org/TR/CSP/#script-src
>>
>>tldr: servers can send CSPs (policies) that do allow inline scripts, but
>>the policy specified by sysapps[1] does not.
>>
>>[1] default-src *; script-src 'self'; object-src 'none'; style-src 'self'
>>
>>
>>>
>>> On 3/20/13 8:39 AM, "Andrew Grieve" <agrieve@chromium.org> wrote:
>>>
>>> >This recent security talk talks about why inline scripts are on the way
>>> >out:
>>> >https://www.youtube.com/watch?feature=player_embedded&v=WljJ5guzcLs
>>> >
>>> >A good amount of the spec deals with application distribution, which is
>>> >out
>>> >of our hands when talking about App Stores.
>>> >
>>> >It uses a separate AppCache manifest to define what files are in the
>>> >bundle. Does this not imply that the whitelist is still in effect via
>>>the
>>> >Network: section of the AppCache manifest?
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >On Wed, Mar 20, 2013 at 10:10 AM, Braden Shepherdson
>>> ><braden@chromium.org>wrote:
>>> >
>>> >> On the subject of no inline scripts or eval, this is used in the new
>>>v2
>>> >> Chrome Apps too. It eliminates a wide spectrum of security risks at
a
>>> >> stroke, though it does require changing some of the older web dev
>>> >>practices
>>> >> (onclick="whatever", primarily). If you're already attaching handlers
>>> >>using
>>> >> jQuery, or using something like AngularJS, this is no change.
>>> >>
>>> >> Only loading scripts from inside the app package, I'm not sure. It
>>> >> eliminates the possibility of using a CDN, but the caching benefits
>>>of
>>> >>that
>>> >> are inferior to shipping the files in the bundle.
>>> >>
>>> >> Braden
>>> >>
>>> >>
>>> >> On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <b@brian.io> wrote:
>>> >>
>>> >> > Ok, picking this up again. At the working group Fil it would be
>>>good
>>> >> > to give our feedback on the manifest as it has related to the
>>>Cordova
>>> >> > reality.
>>> >> >
>>> >> > I really dislike:
>>> >> >
>>> >> > - scripts can only be loaded from inside the app package
>>> >> > - no inline scripts, no eval
>>> >> >
>>> >> > I really like the idea of killing the whitelist feature..
>>> >> >
>>> >> >
>>> >> > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <mmocny@chromium.org>
>>> >> wrote:
>>> >> > > Thanks for the highlights Fil.  Makes for easier reading!
>>> >> > >
>>> >> > >
>>> >> > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <fil@adobe.com>
wrote:
>>> >> > >
>>> >> > >> Highlights w.r.t. Cordova:
>>> >> > >>
>>> >> > >> 1. Application manifest JSON (yay!) [1]:
>>> >> > >>
>>> >> > >> 2. There is an Application interface now in charge of
handling:
>>> >> > >>   - pause/resume/launch/terminate events
>>> >> > >>   - readonly parameters such as install time, origin,
>>>parameters,
>>> >> update
>>> >> > >> state (downloading, installing), package size
>>> >> > >>   - methods such as exit, hide, uninstall, update (interesting!)
>>> >> > >>     - related to update, the spec calls for the update
firing
>>> >> > >> asynchronously, reporting back progress events to the
app.
>>>metaaaa
>>> >> > >> 3. App Management interface, which is deemed as a "privileged"
>>> >>API, to
>>> >> > get
>>> >> > >> events about the (un)installation of other applications.
>>> >> > >>
>>> >> > >> Interesting "security" conclusions [2]:
>>> >> > >>
>>> >> > >> - scripts can only be loaded from inside the app package
>>> >> > >> - no inline scripts, no eval
>>> >> > >> - "Media (audio and video) can still be loaded from anywhere;"
>>>=>
>>> >>this
>>> >> > >> should inform our media APIs once we get to the audit
and
>>>finally
>>> >> > >> determine that the whitelist has no effect on media. This
>>>already
>>> >> > applies
>>> >> > >> to images on the web.
>>> >> > >> - "Network connections can still be opened anywhere using
>>> >>data-centric
>>> >> > >> APIs like XMLHttpRequest or WebSocket." => implication
here is
>>>that
>>> >> the
>>> >> > >> whitelist is, really, useless (which has been my opinion
always
>>>:D
>>> >>)
>>> >> > >>
>>> >> > >> Related, I will be attending the SysApps Face to Face
in madrid
>>>[3]
>>> >> next
>>> >> > >> month. If anyone from the Cordova community has specific
issues
>>> >>that
>>> >> > they
>>> >> > >> would like to see addressed, let me know!
>>> >> > >>
>>> >> > >> [1] http://runtime.sysapps.org/#application-manifest
>>> >> > >> [2] http://runtime.sysapps.org/#csp-policy
>>> >> > >> [3]
>>> >> http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda
>>> >> > >>
>>> >> > >> On 3/18/13 9:03 AM, "Giorgio Natili" <g.natili@gnstudio.com>
>>> wrote:
>>> >> > >>
>>> >> > >> >It should be followed (I have had a quick look) but
it depends
>>> >>what
>>> >> > does
>>> >> > >> >it means from a development point of view.
>>> >> > >> >I mean that there is already a roadmap and that this
draft
>>>should
>>> >> > impact a
>>> >> > >> >lot, so is up to the contributors trying to explain
us how much
>>> >> effort
>>> >> > is
>>> >> > >> >required.
>>> >> > >> >
>>> >> > >> >Giorgio
>>> >> > >> >
>>> >> > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <b@brian.io>
wrote:
>>> >> > >> >
>>> >> > >> >>Have a look: http://runtime.sysapps.org/
>>> >> > >> >>
>>> >> > >> >>What do we think?
>>> >> > >> >
>>> >> > >> >
>>> >> > >>
>>> >> > >>
>>> >> >
>>> >>
>>>
>>>
>

Mime
View raw message