cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Maj <...@adobe.com>
Subject Re: sysapps runtime cfc passed
Date Wed, 20 Mar 2013 21:23:23 GMT
Ah thanks for clarifying

On 3/20/13 2:17 PM, "Andrew Lunny" <alunny@gmail.com> wrote:

>On 20 March 2013 13:54, Filip Maj <fil@adobe.com> wrote:
>
>> Actually dude talks about CSP 1.1 supporting whitelisting of inline
>> scripts ?
>>
>
>The relevant bit in the CSP spec is:
>http://www.w3.org/TR/CSP/#script-src
>
>tldr: servers can send CSPs (policies) that do allow inline scripts, but
>the policy specified by sysapps[1] does not.
>
>[1] default-src *; script-src 'self'; object-src 'none'; style-src 'self'
>
>
>>
>> On 3/20/13 8:39 AM, "Andrew Grieve" <agrieve@chromium.org> wrote:
>>
>> >This recent security talk talks about why inline scripts are on the way
>> >out:
>> >https://www.youtube.com/watch?feature=player_embedded&v=WljJ5guzcLs
>> >
>> >A good amount of the spec deals with application distribution, which is
>> >out
>> >of our hands when talking about App Stores.
>> >
>> >It uses a separate AppCache manifest to define what files are in the
>> >bundle. Does this not imply that the whitelist is still in effect via
>>the
>> >Network: section of the AppCache manifest?
>> >
>> >
>> >
>> >
>> >
>> >On Wed, Mar 20, 2013 at 10:10 AM, Braden Shepherdson
>> ><braden@chromium.org>wrote:
>> >
>> >> On the subject of no inline scripts or eval, this is used in the new
>>v2
>> >> Chrome Apps too. It eliminates a wide spectrum of security risks at a
>> >> stroke, though it does require changing some of the older web dev
>> >>practices
>> >> (onclick="whatever", primarily). If you're already attaching handlers
>> >>using
>> >> jQuery, or using something like AngularJS, this is no change.
>> >>
>> >> Only loading scripts from inside the app package, I'm not sure. It
>> >> eliminates the possibility of using a CDN, but the caching benefits
>>of
>> >>that
>> >> are inferior to shipping the files in the bundle.
>> >>
>> >> Braden
>> >>
>> >>
>> >> On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <b@brian.io> wrote:
>> >>
>> >> > Ok, picking this up again. At the working group Fil it would be
>>good
>> >> > to give our feedback on the manifest as it has related to the
>>Cordova
>> >> > reality.
>> >> >
>> >> > I really dislike:
>> >> >
>> >> > - scripts can only be loaded from inside the app package
>> >> > - no inline scripts, no eval
>> >> >
>> >> > I really like the idea of killing the whitelist feature..
>> >> >
>> >> >
>> >> > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <mmocny@chromium.org>
>> >> wrote:
>> >> > > Thanks for the highlights Fil.  Makes for easier reading!
>> >> > >
>> >> > >
>> >> > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <fil@adobe.com>
wrote:
>> >> > >
>> >> > >> Highlights w.r.t. Cordova:
>> >> > >>
>> >> > >> 1. Application manifest JSON (yay!) [1]:
>> >> > >>
>> >> > >> 2. There is an Application interface now in charge of handling:
>> >> > >>   - pause/resume/launch/terminate events
>> >> > >>   - readonly parameters such as install time, origin,
>>parameters,
>> >> update
>> >> > >> state (downloading, installing), package size
>> >> > >>   - methods such as exit, hide, uninstall, update (interesting!)
>> >> > >>     - related to update, the spec calls for the update firing
>> >> > >> asynchronously, reporting back progress events to the app.
>>metaaaa
>> >> > >> 3. App Management interface, which is deemed as a "privileged"
>> >>API, to
>> >> > get
>> >> > >> events about the (un)installation of other applications.
>> >> > >>
>> >> > >> Interesting "security" conclusions [2]:
>> >> > >>
>> >> > >> - scripts can only be loaded from inside the app package
>> >> > >> - no inline scripts, no eval
>> >> > >> - "Media (audio and video) can still be loaded from anywhere;"
>>=>
>> >>this
>> >> > >> should inform our media APIs once we get to the audit and
>>finally
>> >> > >> determine that the whitelist has no effect on media. This
>>already
>> >> > applies
>> >> > >> to images on the web.
>> >> > >> - "Network connections can still be opened anywhere using
>> >>data-centric
>> >> > >> APIs like XMLHttpRequest or WebSocket." => implication
here is
>>that
>> >> the
>> >> > >> whitelist is, really, useless (which has been my opinion always
>>:D
>> >>)
>> >> > >>
>> >> > >> Related, I will be attending the SysApps Face to Face in madrid
>>[3]
>> >> next
>> >> > >> month. If anyone from the Cordova community has specific issues
>> >>that
>> >> > they
>> >> > >> would like to see addressed, let me know!
>> >> > >>
>> >> > >> [1] http://runtime.sysapps.org/#application-manifest
>> >> > >> [2] http://runtime.sysapps.org/#csp-policy
>> >> > >> [3]
>> >> http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda
>> >> > >>
>> >> > >> On 3/18/13 9:03 AM, "Giorgio Natili" <g.natili@gnstudio.com>
>> wrote:
>> >> > >>
>> >> > >> >It should be followed (I have had a quick look) but it
depends
>> >>what
>> >> > does
>> >> > >> >it means from a development point of view.
>> >> > >> >I mean that there is already a roadmap and that this draft
>>should
>> >> > impact a
>> >> > >> >lot, so is up to the contributors trying to explain us
how much
>> >> effort
>> >> > is
>> >> > >> >required.
>> >> > >> >
>> >> > >> >Giorgio
>> >> > >> >
>> >> > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <b@brian.io>
wrote:
>> >> > >> >
>> >> > >> >>Have a look: http://runtime.sysapps.org/
>> >> > >> >>
>> >> > >> >>What do we think?
>> >> > >> >
>> >> > >> >
>> >> > >>
>> >> > >>
>> >> >
>> >>
>>
>>


Mime
View raw message