cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Clelland <iclell...@chromium.org>
Subject Re: Suggestion: Warning about usage of patterns that conflict with the Firefox OS CSP
Date Wed, 12 Nov 2014 14:03:24 GMT
I'm not familiar enough with the FirefoxOS architecture, but on Android, we
had also considered the possibility of injecting a Content-Security-Policy
in the response header for the application's start page -- this would be
more secure, arguably, than a <meta> tag. The biggest problem is that that
trick only works on the initial page load; if you have a multi-page app,
then you don't get the chance to do that for subsequent pages, but that's
an android-specific limitation.

(It's something that we will be able to do soon for iOS, since it looks
like we're going to control the entire HTTP process.)

On Wed Nov 12 2014 at 8:54:23 AM Frederik Braun <fbraun@mozilla.com> wrote:

> Response inline
>
> On 12.11.2014 14:35, Michal Mocny wrote:
> > We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> > the default template, or create a plugin that injects it automatically
> and
> > try to get developers to install that plugin.
> >
> > This has some benefits for security of cordova apps and has been brought
> up
> > on these lists in that context (very recently by Ian's whitelist ->
> plugin
> > thread).
> >
>
> Meta CSP is quite a nice idea, yet we're unfortunately lacking support
> in Firefox (and Firefox OS) so far
> (https://bugzilla.mozilla.org/show_bug.cgi?id=663570).
>
> I was thinking that some sort of early feedback (i.e. build step
> warning) could help avoiding these patterns when app developement has
> *just* started.
>
> > Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> > scripts automatically? (This issue applies to chrome apps, and vulcanize
> is
> > used to solve the problem with web component inline scripts).
> >
>
> That's an interesting suggestion, thanks!
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message