cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederik Braun <fbr...@mozilla.com>
Subject Re: Suggestion: Warning about usage of patterns that conflict with the Firefox OS CSP
Date Wed, 12 Nov 2014 13:53:54 GMT
Response inline

On 12.11.2014 14:35, Michal Mocny wrote:
> We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> the default template, or create a plugin that injects it automatically and
> try to get developers to install that plugin.
> 
> This has some benefits for security of cordova apps and has been brought up
> on these lists in that context (very recently by Ian's whitelist -> plugin
> thread).
> 

Meta CSP is quite a nice idea, yet we're unfortunately lacking support
in Firefox (and Firefox OS) so far
(https://bugzilla.mozilla.org/show_bug.cgi?id=663570).

I was thinking that some sort of early feedback (i.e. build step
warning) could help avoiding these patterns when app developement has
*just* started.

> Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> scripts automatically? (This issue applies to chrome apps, and vulcanize is
> used to solve the problem with web component inline scripts).
> 

That's an interesting suggestion, thanks!



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


Mime
View raw message