cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Khandelwal <nikhi...@microsoft.com>
Subject RE: CSP policy
Date Fri, 13 Mar 2015 18:47:01 GMT
Thanks, Andrew for making the prompt change and Steve for starting the re-vote!

Thanks,
Nikhil


-----Original Message-----
From: Rob Paveza [mailto:Rob.Paveza@microsoft.com] 
Sent: Friday, March 13, 2015 11:10 AM
To: dev@cordova.apache.org
Subject: RE: CSP policy

I think that would be preferable.  

Templating engines like to use eval because they allow the templates to have code generated
for them at runtime.  Given a template, the engine can do codegen that does string-concat
-> innerHTML, which tends to be very fast for large templates.  Without eval, the only
choice is to do DOM clone/manipulation and event re-wiring, which is laboriously slow for
complex DOM trees.

YMMV depending on app characteristics, but especially for data-intensive data-bound apps,
disallowing eval will be brutal.

-Rob

-----Original Message-----
From: Steven Gill [mailto:stevengill97@gmail.com]
Sent: Friday, March 13, 2015 10:57 AM
To: dev@cordova.apache.org
Subject: Re: CSP policy

We aren't in a rush to ship this. I'd rather have it in a state that everyone is happy with.
30% slowdown can really impact a lot of our developers.

I'll restart the vote thread for it



On Fri, Mar 13, 2015 at 10:14 AM, Andrew Grieve <agrieve@chromium.org>
wrote:

> Up to you. It's just the template, and it's clearly commented as-is.
>
> On Fri, Mar 13, 2015 at 12:55 PM, Steven Gill <stevengill97@gmail.com>
> wrote:
>
> > Revote? Lol
> > On Mar 13, 2015 9:53 AM, "Andrew Grieve" <agrieve@chromium.org> wrote:
> >
> > > Makes sense. I've added it to the template.
> > >
> > > On Fri, Mar 13, 2015 at 1:13 AM, Nikhil Khandelwal <
> > nikhilkh@microsoft.com
> > > >
> > > wrote:
> > >
> > > > Thanks for the explanations, Andrew. Most of this makes sense now.
> > Also,
> > > I
> > > > liked your comments.
> > > >
> > > > We've noticed up to 30% performance slow down by disabling eval
> through
> > > > CSP in angular and other popular frameworks. I'm concerned in 
> > > > not
> > adding
> > > > 'unsafe-eval' as the default. We should add it to the default 
> > > > policy
> > and
> > > > expect the developers to make the choice consciously to remove it.
> > > >
> > > > Thanks,
> > > > Nikhil
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: agrieve@google.com [mailto:agrieve@google.com] On Behalf 
> > > > Of
> > Andrew
> > > > Grieve
> > > > Sent: Thursday, March 12, 2015 10:47 AM
> > > > To: Andrew Grieve
> > > > Cc: dev
> > > > Subject: Re: CSP policy
> > > >
> > > > Added comment with these points to the template.
> > > >
> > > > On Wed, Mar 11, 2015 at 9:37 PM, Andrew Grieve 
> > > > <agrieve@chromium.org
> >
> > > > wrote:
> > > >
> > > > > Great questions! Certainly was hoping to get more eyes on this!
> > > > >
> > > > > Not sure where a good spot to document this is, but maybe 
> > > > > right in
> > the
> > > > > template is okay? That way users will also know the rationale
> > > > > :)
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Mar 11, 2015 at 2:04 PM, Nikhil Khandelwal 
> > > > > <nikhilkh@microsoft.com
> > > > > > wrote:
> > > > >
> > > > >> Thanks for bringing this to notice. Forking the thread for 
> > > > >> better understanding of the default CSP policy. Can you 
> > > > >> provide more
> > details
> > > > >> of the rationale behind this CSP policy?
> > > > >>         <meta http-equiv="Content-Security-Policy"
> > > > >> content="default-src 'self' data: gap:
> > > > >> https://ssl.gstatic.com/accessibility/javascript/android/;
> > style-src
> > > > >> 'self' 'unsafe-inline'; media-src: *">
> > > > >>
> > > > >> Few specific questions:
> > > > >> - 'gap:' - could not find documentation on this - what does 
> > > > >> this
> > mean?
> > > > >>
> > > > > Needed only on iOS, because it navigates iframes to that URL 
> > > > > for
> it's
> > > > > exec() bridge.
> > > > >
> > > > >
> > > > >> - Why is
> https://ssl.gstatic.com/accessibility/javascript/android/
> > > > >> URL there for all platforms? Why is it even needed for Android?
> > > > >>
> > > > > Needed only on Android and is needed (crazily) to not break
> TalkBack
> > > > > (screen reader). Note that CSP right now ignores paths, so 
> > > > > that actually has the effect of whitelisting all of 
> > > > > ssl.gstatic.com
> > > > >
> > > > >
> > > > >> - 'unsafe-eval' is not present - does that mean evals do not
> work. I
> > > > >> know a number of templating libraries depend on this.
> > > > >>
> > > > > Correct. My thinking here is that both FFOS and Chrome Apps 
> > > > > both decided that this is a good policy for packaged apps with 
> > > > > access to
> > > > "dangerous"
> > > > > APIs, and so it would make a good default for us as well.
> > > > >
> > > > >
> > > > >>
> > > > >> Thanks,
> > > > >> Nikhil
> > > > >>
> > > > >>
> > > > >> -----Original Message-----
> > > > >> From: agrieve@google.com [mailto:agrieve@google.com] On 
> > > > >> Behalf Of Andrew Grieve
> > > > >> Sent: Wednesday, March 11, 2015 7:16 AM
> > > > >> To: dev
> > > > >> Subject: Re: [Vote] 3.8.0 Cordova App Hello World Release
> > > > >>
> > > > >> Note that this pulls in the addition of a 
> > > > >> content-security-policy <meta> tag.
> > > > >> Please ensure that this doesn't break your platform when voting.
> > > > >>
> > > > >> On Tue, Mar 10, 2015 at 7:30 PM, Steven Gill <
> > stevengill97@gmail.com>
> > > > >> wrote:
> > > > >>
> > > > >> > Please review and vote on this 3.8.0 Cordova App Hello 
> > > > >> > World
> > > Release.
> > > > >> >
> > > > >> > Release issue: 
> > > > >> > https://issues.apache.org/jira/browse/CB-8645
> > > > >> >
> > > > >> > Repos ready to be released have been published to
> > > > >> > dist/dev:https://dist.apache.org/repos/dist/dev/cordova/CB-
> > > > >> > 8645
> > > > >> >
> > > > >> > The package was published from its corresponding git tag:
> > > > >> > cordova-app-hello-world: 3.8.0 (0b55140d09)
> > > > >> >
> > > > >> > Upon a successful vote I will upload the archive to dist/

> > > > >> > and publish it to NPM.
> > > > >> >
> > > > >> > Voting guidelines:
> > > > >> >
> > https://github.com/apache/cordova-coho/blob/master/docs/release-vot
> > > > >> > ing
> > > > >> > .md
> > > > >> >
> > > > >> > Voting will go on for a minimum of 48 hours.
> > > > >> >
> > > > >> > I vote +1:
> > > > >> > * Ran coho audit-license-headers over the relevant repos
> > > > >> > * Ran coho check-license to ensure all dependencies and

> > > > >> > subdependencies have Apache-compatible licenses
> > > > >> > * Built a hello world app using the CLI
> > > > >> >
> > > > >>
> > > > >>
> > --------------------------------------------------------------------
> > -
> > > > >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > > > >> For additional commands, e-mail: dev-help@cordova.apache.org
> > > > >>
> > > > >
> > > > >
> > > >
> > > > ----------------------------------------------------------------
> > > > ----- To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > > > For additional commands, e-mail: dev-help@cordova.apache.org
> > > >
> > >
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org


Mime
View raw message