cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: CSP policy
Date Thu, 12 Mar 2015 01:37:26 GMT
Great questions! Certainly was hoping to get more eyes on this!

Not sure where a good spot to document this is, but maybe right in the
template is okay? That way users will also know the rationale :)



On Wed, Mar 11, 2015 at 2:04 PM, Nikhil Khandelwal <nikhilkh@microsoft.com>
wrote:

> Thanks for bringing this to notice. Forking the thread for better
> understanding of the default CSP policy. Can you provide more details of
> the rationale behind this CSP policy?
>         <meta http-equiv="Content-Security-Policy" content="default-src
> 'self' data: gap:
> https://ssl.gstatic.com/accessibility/javascript/android/; style-src
> 'self' 'unsafe-inline'; media-src: *">
>
> Few specific questions:
> - 'gap:' - could not find documentation on this - what does this mean?
>
Needed only on iOS, because it navigates iframes to that URL for it's
exec() bridge.


> - Why is https://ssl.gstatic.com/accessibility/javascript/android/ URL
> there for all platforms? Why is it even needed for Android?
>
Needed only on Android and is needed (crazily) to not break TalkBack
(screen reader). Note that CSP right now ignores paths, so that actually
has the effect of whitelisting all of ssl.gstatic.com


> - 'unsafe-eval' is not present - does that mean evals do not work. I know
> a number of templating libraries depend on this.
>
Correct. My thinking here is that both FFOS and Chrome Apps both decided
that this is a good policy for packaged apps with access to "dangerous"
APIs, and so it would make a good default for us as well.


>
> Thanks,
> Nikhil
>
>
> -----Original Message-----
> From: agrieve@google.com [mailto:agrieve@google.com] On Behalf Of Andrew
> Grieve
> Sent: Wednesday, March 11, 2015 7:16 AM
> To: dev
> Subject: Re: [Vote] 3.8.0 Cordova App Hello World Release
>
> Note that this pulls in the addition of a content-security-policy <meta>
> tag.
> Please ensure that this doesn't break your platform when voting.
>
> On Tue, Mar 10, 2015 at 7:30 PM, Steven Gill <stevengill97@gmail.com>
> wrote:
>
> > Please review and vote on this 3.8.0 Cordova App Hello World Release.
> >
> > Release issue: https://issues.apache.org/jira/browse/CB-8645
> >
> > Repos ready to be released have been published to
> > dist/dev:https://dist.apache.org/repos/dist/dev/cordova/CB-8645
> >
> > The package was published from its corresponding git tag:
> > cordova-app-hello-world: 3.8.0 (0b55140d09)
> >
> > Upon a successful vote I will upload the archive to dist/ and publish
> > it to NPM.
> >
> > Voting guidelines:
> > https://github.com/apache/cordova-coho/blob/master/docs/release-voting
> > .md
> >
> > Voting will go on for a minimum of 48 hours.
> >
> > I vote +1:
> > * Ran coho audit-license-headers over the relevant repos
> > * Ran coho check-license to ensure all dependencies and
> > subdependencies have Apache-compatible licenses
> > * Built a hello world app using the CLI
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message