cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: CSP policy
Date Thu, 12 Mar 2015 17:47:07 GMT
Added comment with these points to the template.

On Wed, Mar 11, 2015 at 9:37 PM, Andrew Grieve <agrieve@chromium.org> wrote:

> Great questions! Certainly was hoping to get more eyes on this!
>
> Not sure where a good spot to document this is, but maybe right in the
> template is okay? That way users will also know the rationale :)
>
>
>
> On Wed, Mar 11, 2015 at 2:04 PM, Nikhil Khandelwal <nikhilkh@microsoft.com
> > wrote:
>
>> Thanks for bringing this to notice. Forking the thread for better
>> understanding of the default CSP policy. Can you provide more details of
>> the rationale behind this CSP policy?
>>         <meta http-equiv="Content-Security-Policy" content="default-src
>> 'self' data: gap:
>> https://ssl.gstatic.com/accessibility/javascript/android/; style-src
>> 'self' 'unsafe-inline'; media-src: *">
>>
>> Few specific questions:
>> - 'gap:' - could not find documentation on this - what does this mean?
>>
> Needed only on iOS, because it navigates iframes to that URL for it's
> exec() bridge.
>
>
>> - Why is https://ssl.gstatic.com/accessibility/javascript/android/ URL
>> there for all platforms? Why is it even needed for Android?
>>
> Needed only on Android and is needed (crazily) to not break TalkBack
> (screen reader). Note that CSP right now ignores paths, so that actually
> has the effect of whitelisting all of ssl.gstatic.com
>
>
>> - 'unsafe-eval' is not present - does that mean evals do not work. I know
>> a number of templating libraries depend on this.
>>
> Correct. My thinking here is that both FFOS and Chrome Apps both decided
> that this is a good policy for packaged apps with access to "dangerous"
> APIs, and so it would make a good default for us as well.
>
>
>>
>> Thanks,
>> Nikhil
>>
>>
>> -----Original Message-----
>> From: agrieve@google.com [mailto:agrieve@google.com] On Behalf Of Andrew
>> Grieve
>> Sent: Wednesday, March 11, 2015 7:16 AM
>> To: dev
>> Subject: Re: [Vote] 3.8.0 Cordova App Hello World Release
>>
>> Note that this pulls in the addition of a content-security-policy <meta>
>> tag.
>> Please ensure that this doesn't break your platform when voting.
>>
>> On Tue, Mar 10, 2015 at 7:30 PM, Steven Gill <stevengill97@gmail.com>
>> wrote:
>>
>> > Please review and vote on this 3.8.0 Cordova App Hello World Release.
>> >
>> > Release issue: https://issues.apache.org/jira/browse/CB-8645
>> >
>> > Repos ready to be released have been published to
>> > dist/dev:https://dist.apache.org/repos/dist/dev/cordova/CB-8645
>> >
>> > The package was published from its corresponding git tag:
>> > cordova-app-hello-world: 3.8.0 (0b55140d09)
>> >
>> > Upon a successful vote I will upload the archive to dist/ and publish
>> > it to NPM.
>> >
>> > Voting guidelines:
>> > https://github.com/apache/cordova-coho/blob/master/docs/release-voting
>> > .md
>> >
>> > Voting will go on for a minimum of 48 hours.
>> >
>> > I vote +1:
>> > * Ran coho audit-license-headers over the relevant repos
>> > * Ran coho check-license to ensure all dependencies and
>> > subdependencies have Apache-compatible licenses
>> > * Built a hello world app using the CLI
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> For additional commands, e-mail: dev-help@cordova.apache.org
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message