cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Khandelwal <nikhi...@microsoft.com>
Subject RE: CSP policy
Date Wed, 11 Mar 2015 18:04:51 GMT
Thanks for bringing this to notice. Forking the thread for better understanding of the default
CSP policy. Can you provide more details of the rationale behind this CSP policy?
        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap:
https://ssl.gstatic.com/accessibility/javascript/android/; style-src 'self' 'unsafe-inline';
media-src: *">

Few specific questions:
- 'gap:' - could not find documentation on this - what does this mean?
- Why is https://ssl.gstatic.com/accessibility/javascript/android/ URL there for all platforms?
Why is it even needed for Android?
- 'unsafe-eval' is not present - does that mean evals do not work. I know a number of templating
libraries depend on this.

Thanks,
Nikhil


-----Original Message-----
From: agrieve@google.com [mailto:agrieve@google.com] On Behalf Of Andrew Grieve
Sent: Wednesday, March 11, 2015 7:16 AM
To: dev
Subject: Re: [Vote] 3.8.0 Cordova App Hello World Release

Note that this pulls in the addition of a content-security-policy <meta> tag.
Please ensure that this doesn't break your platform when voting.

On Tue, Mar 10, 2015 at 7:30 PM, Steven Gill <stevengill97@gmail.com> wrote:

> Please review and vote on this 3.8.0 Cordova App Hello World Release.
>
> Release issue: https://issues.apache.org/jira/browse/CB-8645
>
> Repos ready to be released have been published to
> dist/dev:https://dist.apache.org/repos/dist/dev/cordova/CB-8645
>
> The package was published from its corresponding git tag:
> cordova-app-hello-world: 3.8.0 (0b55140d09)
>
> Upon a successful vote I will upload the archive to dist/ and publish 
> it to NPM.
>
> Voting guidelines:
> https://github.com/apache/cordova-coho/blob/master/docs/release-voting
> .md
>
> Voting will go on for a minimum of 48 hours.
>
> I vote +1:
> * Ran coho audit-license-headers over the relevant repos
> * Ran coho check-license to ensure all dependencies and 
> subdependencies have Apache-compatible licenses
> * Built a hello world app using the CLI
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Mime
View raw message