cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parashuram Narasimhan (MS OPEN TECH)" <panar...@microsoft.com>
Subject RE: [Discuss] 3.6.0 Release
Date Tue, 12 Aug 2014 15:48:15 GMT
Had a quick question on the whitelists. I remember that there was talk of using CSP to fix
this issue. A CSP file may not be backward compatible, but could potentially just give us
one list instead of 2 whitelists. The CSP file may be like the following

Content-Security-Policy: 
	script-src 'self', foo.com, bar.com 
	img-src cdn.com 
	intent-src mail, sms

Note the new intent-src directive, that is basically used to launch external programs. Do
you think this could be something we can look at, for 4.0 ? I am not sure if our whitelist
xml file maps to a W3C spec, but CSP seems more like a standard. This is breaking, and 4.0
may be the right time to do it ? 

-----Original Message-----
From: iclelland@google.com [mailto:iclelland@google.com] On Behalf Of Ian Clelland
Sent: Tuesday, August 12, 2014 8:30 AM
To: dev@cordova.apache.org
Subject: Re: [Discuss] 3.6.0 Release

I've created CB-7291 for the whitelist issue, and I've ported the code from June to the new-style
configuration architecture and committed it to a named CB-7291 branch on cordova-android.

If anyone has any thoughts/opinions on the syntax or the proposal itself, or on what the defaults
should be for new and upgrading applications, please chime in on the issue.



On Mon, Aug 11, 2014 at 11:26 AM, Parashuram Narasimhan (MS OPEN TECH) < panarasi@microsoft.com>
wrote:

> I think we should also finalize on the platform switches so that we 
> all agree on a pattern (even if it is different across platforms). 
> This way, we can release 3.6.0 with a set of switches, and ensure that 
> it is backward compatible.
>
>
> -----Original Message-----
> From: iclelland@google.com [mailto:iclelland@google.com] On Behalf Of 
> Ian Clelland
> Sent: Monday, August 11, 2014 8:00 AM
> To: dev@cordova.apache.org
> Subject: Re: [Discuss] 3.6.0 Release
>
> I'll see about committing that today; I've had to reorganize it quite 
> a bit after the Big Config Refactor.
>
> Joe, I'm pretty certain that your code is still in master, but 
> definitely add those tests to make sure, and to make sure we don't regress.
>
> Ian
>
>
> On Mon, Aug 11, 2014 at 10:52 AM, Marcel Kinard <cmarcelk@gmail.com>
> wrote:
>
> > I agree with Joe.
> >
> > On Aug 11, 2014, at 10:02 AM, Joe Bowser <bowserj@gmail.com> wrote:
> >
> > > Let's not release until the new whitelist is figured out.  That 
> > > feature
> > is
> > > too important.
> >
>
Mime
View raw message