cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel Nennker <ignisvul...@gmail.com>
Subject Re: Suggestion: Warning about usage of patterns that conflict with the Firefox OS CSP
Date Wed, 12 Nov 2014 14:20:58 GMT
vulcanize does not work when inline script depends on the order of the
scripts.
vulcanize just extracts all inline script and includes vulcanize.js at the
end of the html body
<script src="vulcanized.js"></script></body></html>

<script src="definesA.js"/>
<script>
  var B = A;
</script>
<script src="usesB.js"/>

would not work because that becomes

<script src="definesA.js"/>
<script src="usesB.js"/> // ReferenceError B is not defined
<script src="vulcanize.js"/> // <script>var B = A;</script>




2014-11-12 14:35 GMT+01:00 Michal Mocny <mmocny@chromium.org>:

> We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> the default template, or create a plugin that injects it automatically and
> try to get developers to install that plugin.
>
> This has some benefits for security of cordova apps and has been brought up
> on these lists in that context (very recently by Ian's whitelist -> plugin
> thread).
>
> Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> scripts automatically? (This issue applies to chrome apps, and vulcanize is
> used to solve the problem with web component inline scripts).
>
> -Michal
>
> On Wed, Nov 12, 2014 at 7:09 AM, Frederik Braun <fbraun@mozilla.com>
> wrote:
>
> > Hi,
> >
> > I am not very involved with Cordova, but as far as I understand, Cordova
> > Apps are allowed to use eval, inline scripts etc.
> >
> > We do not allow this in Firefox OS [1] and I am concerned that it may
> > cause some friction when porting existing Cordova apps to Firefox OS and
> > then realizing that a lot of scripts needs rewriting to comply with our
> > Content Security Policy (CSP).
> >
> >
> > Is there anything we can do to remove this friction? My first intuition
> > would be some sort of warning that is emitted when building an app that
> > uses one of those patterns.
> >
> > What do you think?
> >
> >
> >
> > Thanks!
> > Frederik
> >
> > [1]
> >
> >
> https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message