cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Mocny <>
Subject Re: Suggestion: Warning about usage of patterns that conflict with the Firefox OS CSP
Date Wed, 12 Nov 2014 13:35:52 GMT
We could add <meta http-equiv="Content-Security-Policy" content=".."> to
the default template, or create a plugin that injects it automatically and
try to get developers to install that plugin.

This has some benefits for security of cordova apps and has been brought up
on these lists in that context (very recently by Ian's whitelist -> plugin

Finally, perhaps you can use the `vulcanize --csp` tool to externalize
scripts automatically? (This issue applies to chrome apps, and vulcanize is
used to solve the problem with web component inline scripts).


On Wed, Nov 12, 2014 at 7:09 AM, Frederik Braun <> wrote:

> Hi,
> I am not very involved with Cordova, but as far as I understand, Cordova
> Apps are allowed to use eval, inline scripts etc.
> We do not allow this in Firefox OS [1] and I am concerned that it may
> cause some friction when porting existing Cordova apps to Firefox OS and
> then realizing that a lot of scripts needs rewriting to comply with our
> Content Security Policy (CSP).
> Is there anything we can do to remove this friction? My first intuition
> would be some sort of warning that is emitted when building an app that
> uses one of those patterns.
> What do you think?
> Thanks!
> Frederik
> [1]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message