Return-Path: 
 <dev-return-40152-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D9C0698E8
	for <apmail-cordova-dev-archive@www.apache.org>;
 Wed, 12 Nov 2014 14:21:25 +0000 (UTC)
Received: (qmail 10220 invoked by uid 500); 12 Nov 2014 14:21:25 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 10177 invoked by uid 500); 12 Nov 2014 14:21:25 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 10164 invoked by uid 99); 12 Nov 2014 14:21:25 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Nov 2014 14:21:25 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of ignisvulpis@gmail.com
 designates 209.85.160.179 as permitted sender)
Received: from [209.85.160.179] (HELO mail-yk0-f179.google.com)
 (209.85.160.179)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Nov 2014 14:21:21 +0000
Received: by mail-yk0-f179.google.com with SMTP id 131so1038349ykp.24
        for <dev@cordova.apache.org>; Wed, 12 Nov 2014 06:21:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=kCynbyHLGKmEd2Gutx9yy2kQLmiSZfXP+Sx6hwWyYlM=;
        b=ICBiJV+X6BdlecD+h3kIWYWIHDChweFKx8NyOhhtzgxA5VpGnRhiG08+hsveKi2aDC
         3O4Zt6QQ0ULSDQnDyE75nScPMB+Yy1ZH5YaTs2Khk4x3ly8v58PpRDannfkprjM+rENT
         ++X1qraPU95ljPRdpaIg2R0o5AgTDvliAsBOGJRKIitq+iSLcvl6fuYS7ITg9Lva3fpK
         oMtX7Bq4rVFS32RGJ991V3xklfv9tFR9pcbF7x8qlbY3rW+MXB11VAD/B1Q4LNSbR1Kx
         XxtomP0L38joPCmAUkHxaIX2IiS+ejOylpJeGmHCCP5gZgtfwFM05Ixl2nSUR/DFZtTK
         FA8g==
MIME-Version: 1.0
X-Received: by 10.236.2.170 with SMTP id 30mr2565442yhf.122.1415802058523;
 Wed, 12 Nov 2014 06:20:58 -0800 (PST)
Received: by 10.170.185.74 with HTTP; Wed, 12 Nov 2014 06:20:58 -0800 (PST)
In-Reply-To: 
 <CAEeF2TeWuxnPBAxJdX-THXM0z1hnbbcnUN1LwVLPcBpK_zTdWg@mail.gmail.com>
References: <54634DF6.3030900@mozilla.com>
	<CAEeF2TeWuxnPBAxJdX-THXM0z1hnbbcnUN1LwVLPcBpK_zTdWg@mail.gmail.com>
Date: Wed, 12 Nov 2014 15:20:58 +0100
Message-ID: 
 <CAHcDwFwttKroxvySXtwis6vhCV2DqNuq24o6pwyrhLYENirvHA@mail.gmail.com>
Subject: Re: Suggestion: Warning about usage of patterns that conflict with
 the Firefox OS CSP
From: Axel Nennker <ignisvulpis@gmail.com>
To: dev <dev@cordova.apache.org>, fbraun@mozilla.com
Content-Type: multipart/alternative; boundary=089e013a0bc6c54d250507aa1a20
X-Virus-Checked: Checked by ClamAV on apache.org

--089e013a0bc6c54d250507aa1a20
Content-Type: text/plain; charset=UTF-8

vulcanize does not work when inline script depends on the order of the
scripts.
vulcanize just extracts all inline script and includes vulcanize.js at the
end of the html body
<script src="vulcanized.js"></script></body></html>

<script src="definesA.js"/>
<script>
  var B = A;
</script>
<script src="usesB.js"/>

would not work because that becomes

<script src="definesA.js"/>
<script src="usesB.js"/> // ReferenceError B is not defined
<script src="vulcanize.js"/> // <script>var B = A;</script>




2014-11-12 14:35 GMT+01:00 Michal Mocny <mmocny@chromium.org>:

> We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> the default template, or create a plugin that injects it automatically and
> try to get developers to install that plugin.
>
> This has some benefits for security of cordova apps and has been brought up
> on these lists in that context (very recently by Ian's whitelist -> plugin
> thread).
>
> Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> scripts automatically? (This issue applies to chrome apps, and vulcanize is
> used to solve the problem with web component inline scripts).
>
> -Michal
>
> On Wed, Nov 12, 2014 at 7:09 AM, Frederik Braun <fbraun@mozilla.com>
> wrote:
>
> > Hi,
> >
> > I am not very involved with Cordova, but as far as I understand, Cordova
> > Apps are allowed to use eval, inline scripts etc.
> >
> > We do not allow this in Firefox OS [1] and I am concerned that it may
> > cause some friction when porting existing Cordova apps to Firefox OS and
> > then realizing that a lot of scripts needs rewriting to comply with our
> > Content Security Policy (CSP).
> >
> >
> > Is there anything we can do to remove this friction? My first intuition
> > would be some sort of warning that is emitted when building an app that
> > uses one of those patterns.
> >
> > What do you think?
> >
> >
> >
> > Thanks!
> > Frederik
> >
> > [1]
> >
> >
> https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
> >
>

--089e013a0bc6c54d250507aa1a20--