cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Khandelwal <>
Subject RE: CSP policy
Date Wed, 11 Mar 2015 18:04:51 GMT
Thanks for bringing this to notice. Forking the thread for better understanding of the default
CSP policy. Can you provide more details of the rationale behind this CSP policy?
        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:; style-src 'self' 'unsafe-inline';
media-src: *">

Few specific questions:
- 'gap:' - could not find documentation on this - what does this mean?
- Why is URL there for all platforms?
Why is it even needed for Android?
- 'unsafe-eval' is not present - does that mean evals do not work. I know a number of templating
libraries depend on this.


-----Original Message-----
From: [] On Behalf Of Andrew Grieve
Sent: Wednesday, March 11, 2015 7:16 AM
To: dev
Subject: Re: [Vote] 3.8.0 Cordova App Hello World Release

Note that this pulls in the addition of a content-security-policy <meta> tag.
Please ensure that this doesn't break your platform when voting.

On Tue, Mar 10, 2015 at 7:30 PM, Steven Gill <> wrote:

> Please review and vote on this 3.8.0 Cordova App Hello World Release.
> Release issue:
> Repos ready to be released have been published to
> dist/dev:
> The package was published from its corresponding git tag:
> cordova-app-hello-world: 3.8.0 (0b55140d09)
> Upon a successful vote I will upload the archive to dist/ and publish 
> it to NPM.
> Voting guidelines:
> .md
> Voting will go on for a minimum of 48 hours.
> I vote +1:
> * Ran coho audit-license-headers over the relevant repos
> * Ran coho check-license to ensure all dependencies and 
> subdependencies have Apache-compatible licenses
> * Built a hello world app using the CLI

To unsubscribe, e-mail:
For additional commands, e-mail:
View raw message