Author: janpio Date: Wed Sep 30 18:32:31 2020 New Revision: 1882165 URL: http://svn.apache.org/viewvc?rev=1882165&view=rev Log: Updated docs
Modified: cordova/site/public/blog/index.html cordova/site/public/feed.xml cordova/site/public/news/2020/09/18/camera-plugin-release.html cordova/site/public/news/2020/09/29/cve-2020-6506.html Modified: cordova/site/public/blog/index.html URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1882165&r1=1882164&r2=1882165&view=diff ============================================================================== --- cordova/site/public/blog/index.html (original) +++ cordova/site/public/blog/index.html Wed Sep 30 18:32:31 2020 @@ -139,12 +139,10 @@ </div> </header> <section class="post-excerpt"> - <p><h1>Security Advisory CVE-2020-6506</h1> - -<h3>Formally Disclosed Advisory:</h3> + <p><h3>Formally Disclosed Advisory:</h3> <ul> -<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li> +<li><a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819">https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li> </ul> <p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. Apache Cordova apps built for Android devices which allow the loading of http content from domains they do not control could be affected. Theoretically this would be either in an iframe, or by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p> @@ -162,14 +160,14 @@ Users must update their Android WebView <li>Use a restrictive an allow-list and content security policy (CSP) as possible.<br> <ul> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li> <li>Ensure CSPs do not include 'unsafe-line' for script-src/default-src unless necessary.</li> </ul></li> <li>Generally, always load local code into your application's main webview, and use InAppBrowser to display anything remote. <ul> <li>Always load untrusted content into an external browser (i.e. call InAppBrowser with <code>_system</code>)</li> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li> </ul></li> <li><p>Do not use iframes, and if you must, never do so in your application's main webview. Using the <code>sandbox</code> attribute will mitigate this vulnerability ( preferably with an empty value. ) Avoid using these sandbox attributes together <code>allow-popups allow-top-navigation allow-scripts</code> because they do NOT mitigate this vulnerability.</p> <div class="highlight"><pre><code class="language-js" data-lang="js"><span class="o"><</span><span class="nx">iframe</span> <span class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span> <span class="nx">src</span><span class="o">=</span><span class="s1">'http://untrusted-source'</span> <span class="o">/></span> @@ -183,9 +181,11 @@ Users must update their Android WebView <h3>Additional References</h3> <ul> -<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li> -<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li> +<li><a href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/">https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li> +<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li> </ul> + +<p><em>edit: fixed links that weren't linking</em> -JM</p> </p> <div><a href="/news/2020/09/29/cve-2020-6506.html">More...</a></div> </section> Modified: cordova/site/public/feed.xml URL: http://svn.apache.org/viewvc/cordova/site/public/feed.xml?rev=1882165&r1=1882164&r2=1882165&view=diff ============================================================================== --- cordova/site/public/feed.xml (original) +++ cordova/site/public/feed.xml Wed Sep 30 18:32:31 2020 @@ -6,18 +6,16 @@ </description> <link>https://cordova.apache.org/</link> <atom:link href="https://cordova.apache.org/feed.xml" rel="self" type="application/rss+xml"/> - <pubDate>Tue, 29 Sep 2020 19:01:29 +0000</pubDate> - <lastBuildDate>Tue, 29 Sep 2020 19:01:29 +0000</lastBuildDate> + <pubDate>Wed, 30 Sep 2020 18:12:36 +0000</pubDate> + <lastBuildDate>Wed, 30 Sep 2020 18:12:36 +0000</lastBuildDate> <generator>Jekyll v2.5.3</generator> <item> <title>Security Advisory CVE-2020-6506</title> - <description><h1>Security Advisory CVE-2020-6506</h1> - -<h3>Formally Disclosed Advisory:</h3> + <description><h3>Formally Disclosed Advisory:</h3> <ul> -<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li> +<li><a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819">https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li> </ul> <p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. Apache Cordova apps built for Android devices which allow the loading of http content from domains they do not control could be affected. Theoretically this would be either in an iframe, or by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p> @@ -35,14 +33,14 @@ Users must update their Android WebView <li>Use a restrictive an allow-list and content security policy (CSP) as possible.<br> <ul> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li> <li>Ensure CSPs do not include &#39;unsafe-line&#39; for script-src/default-src unless necessary.</li> </ul></li> <li>Generally, always load local code into your application&#39;s main webview, and use InAppBrowser to display anything remote. <ul> <li>Always load untrusted content into an external browser (i.e. call InAppBrowser with <code>_system</code>)</li> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li> </ul></li> <li><p>Do not use iframes, and if you must, never do so in your application&#39;s main webview. Using the <code>sandbox</code> attribute will mitigate this vulnerability ( preferably with an empty value. ) Avoid using these sandbox attributes together <code>allow-popups allow-top-navigation allow-scripts</code> because they do NOT mitigate this vulnerability.</p> <div class="highlight"><pre><code class="language-js" data-lang="js"><span class="o">&lt;</span><span class="nx">iframe</span> <span class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span> <span class="nx">src</span><span class="o">=</span><span class="s1">'http://untrusted-source'</span> <span class="o">/&gt;</span> @@ -56,9 +54,11 @@ Users must update their Android WebView <h3>Additional References</h3> <ul> -<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li> -<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li> +<li><a href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/">https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li> +<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li> </ul> + +<p><em>edit: fixed links that weren&#39;t linking</em> -JM</p> </description> <pubDate>Tue, 29 Sep 2020 00:00:00 +0000</pubDate> <link>https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html</link> Modified: cordova/site/public/news/2020/09/18/camera-plugin-release.html URL: http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/18/camera-plugin-release.html?rev=1882165&r1=1882164&r2=1882165&view=diff ============================================================================== --- cordova/site/public/news/2020/09/18/camera-plugin-release.html (original) +++ cordova/site/public/news/2020/09/18/camera-plugin-release.html Wed Sep 30 18:32:31 2020 @@ -240,7 +240,7 @@ Reference: https://github.com/jekyll/jekyll/issues/2860 --> - Security Advisory CVE-2020-6506 Formally Disclosed Advisory: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 This vulnerability is a universal... + Formally Disclosed Advisory: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 This vulnerability is a universal cross-site scripting (UXSS)... </p> </div> Modified: cordova/site/public/news/2020/09/29/cve-2020-6506.html URL: http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/29/cve-2020-6506.html?rev=1882165&r1=1882164&r2=1882165&view=diff ============================================================================== --- cordova/site/public/news/2020/09/29/cve-2020-6506.html (original) +++ cordova/site/public/news/2020/09/29/cve-2020-6506.html Wed Sep 30 18:32:31 2020 @@ -6,7 +6,7 @@ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width" /> - <meta name="description" content="Security Advisory CVE-2020-6506Formally Disclosed Advisory:https://bugs.chromium.org/p/chromium/issues/detail?id=1083819This vulnerability is a universal cro..."> + <meta name="description" content="Formally Disclosed Advisory:https://bugs.chromium.org/p/chromium/issues/detail?id=1083819This vulnerability is a universal cross-site scripting (UXSS) vulner..."> <title> @@ -130,12 +130,10 @@ </header> <section> <div> - <h1>Security Advisory CVE-2020-6506</h1> - -<h3>Formally Disclosed Advisory:</h3> + <h3>Formally Disclosed Advisory:</h3> <ul> -<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li> +<li><a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819">https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li> </ul> <p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. Apache Cordova apps built for Android devices which allow the loading of http content from domains they do not control could be affected. Theoretically this would be either in an iframe, or by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p> @@ -153,14 +151,14 @@ Users must update their Android WebView <li>Use a restrictive an allow-list and content security policy (CSP) as possible.<br> <ul> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li> <li>Ensure CSPs do not include 'unsafe-line' for script-src/default-src unless necessary.</li> </ul></li> <li>Generally, always load local code into your application's main webview, and use InAppBrowser to display anything remote. <ul> <li>Always load untrusted content into an external browser (i.e. call InAppBrowser with <code>_system</code>)</li> -<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li> +<li><a href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li> </ul></li> <li><p>Do not use iframes, and if you must, never do so in your application's main webview. Using the <code>sandbox</code> attribute will mitigate this vulnerability ( preferably with an empty value. ) Avoid using these sandbox attributes together <code>allow-popups allow-top-navigation allow-scripts</code> because they do NOT mitigate this vulnerability.</p> <div class="highlight"><pre><code class="language-js" data-lang="js"><span class="o"><</span><span class="nx">iframe</span> <span class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span> <span class="nx">src</span><span class="o">=</span><span class="s1">'http://untrusted-source'</span> <span class="o">/></span> @@ -174,10 +172,12 @@ Users must update their Android WebView <h3>Additional References</h3> <ul> -<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li> -<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li> +<li><a href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/">https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li> +<li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li> </ul> +<p><em>edit: fixed links that weren't linking</em> -JM</p> + </div> </section> <footer> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org For additional commands, e-mail: commits-h...@cordova.apache.org