cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-12770) Update guide/appdev/security with up-to-date content
Date Mon, 08 May 2017 21:30:04 GMT

    [ https://issues.apache.org/jira/browse/CB-12770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16001577#comment-16001577
] 

ASF GitHub Bot commented on CB-12770:
-------------------------------------

Github user kerrishotts commented on a diff in the pull request:

    https://github.com/apache/cordova-docs/pull/703#discussion_r115357887
  
    --- Diff: www/docs/en/dev/guide/appdev/security/index.md ---
    @@ -27,69 +27,155 @@ description: Information and tips for building a secure application.
     The following guide includes some security best practices that you should consider when
developing a Cordova application. Please be aware that security is a very complicated topic
and therefore this guide is not exhaustive. If you believe you can contribute to this guide,
please feel free to file an issue in Cordova's bug tracker under ["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407).
 This guide is designed to be applicable to general Cordova development (all platforms) but
special platform-specific considerations will be noted.
     
     ## This guide discusses the following topics:
    +
    +* General Tips
    +* Plugins and Security
    +* Content Security Policy
     * Whitelist
    -* Iframes and the Callback Id Mechanism
     * Certificate Pinning
     * Self-signed Certificates
    +* Wrapping external sites and hot code push
     * Encrypted storage
    -* General Tips
     * Recommended Articles and Other Resources
     
    +## General Tips
    +
    +### Use InAppBrowser for outside links
    +
    +Use the InAppBrowser when opening links to any outside website. This is much safer than
whitelisting a domain name and including the content directly in your application because
the InAppBrowser will use the native browser's security features and will not give the website
access to your Cordova environment. Even if you trust the third party website and include
it directly in your application, that third party website could link to malicious web content.
    +
    +### Validate all user input
    +
    +Always validate any and all input that your application accepts. This includes usernames,
passwords, dates, uploaded media, etc. Because an attacker could manipulate your HTML and
JS assets (either by decompiling your application or using debugging tools like `chrome://inspect`),
this validation should also be performed on your server, especially before handing the data
off to any backend service.
    +
    +> **Tip**: Other sources where data should be validated: user documents, contacts,
push notifications
    +
    +### Do not cache sensitive data
    +
    +If usernames, password, geolocation information, and other sensitive data is cached,
then it could potentially be retrieved later by an unauthorized user or application.
    +
    +### Don't use eval()
    +
    +The JavaScript function eval() has a long history of being abused. Using it incorrectly
can open your code up for injection attacks, debugging difficulties, and slower code execution.
    +
    +### Do not assume that your source code is secure
    +
    +Since a Cordova application is built from HTML and JavaScript assets that get packaged
in a native container, you should not consider your code to be secure. It is possible to reverse
engineer a Cordova application.
    --- End diff --
    
    Mmm -- I like that much better. :-)


> Update guide/appdev/security with up-to-date content
> ----------------------------------------------------
>
>                 Key: CB-12770
>                 URL: https://issues.apache.org/jira/browse/CB-12770
>             Project: Apache Cordova
>          Issue Type: Task
>          Components: cordova-docs
>            Reporter: Kerri Shotts
>            Assignee: Kerri Shotts
>              Labels: docs, security
>
> Updating with issues I've commonly seen elsewhere (CSP, wrapping external sites, etc.);
reordering a bit; removing really old bits.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message