This recent security talk talks about why inline scripts are on the way out: https://www.youtube.com/watch?feature=player_embedded&v=WljJ5guzcLs
A good amount of the spec deals with application distribution, which is out of our hands when talking about App Stores. It uses a separate AppCache manifest to define what files are in the bundle. Does this not imply that the whitelist is still in effect via the Network: section of the AppCache manifest? On Wed, Mar 20, 2013 at 10:10 AM, Braden Shepherdson <[email protected]>wrote: > On the subject of no inline scripts or eval, this is used in the new v2 > Chrome Apps too. It eliminates a wide spectrum of security risks at a > stroke, though it does require changing some of the older web dev practices > (onclick="whatever", primarily). If you're already attaching handlers using > jQuery, or using something like AngularJS, this is no change. > > Only loading scripts from inside the app package, I'm not sure. It > eliminates the possibility of using a CDN, but the caching benefits of that > are inferior to shipping the files in the bundle. > > Braden > > > On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <[email protected]> wrote: > > > Ok, picking this up again. At the working group Fil it would be good > > to give our feedback on the manifest as it has related to the Cordova > > reality. > > > > I really dislike: > > > > - scripts can only be loaded from inside the app package > > - no inline scripts, no eval > > > > I really like the idea of killing the whitelist feature.. > > > > > > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <[email protected]> > wrote: > > > Thanks for the highlights Fil. Makes for easier reading! > > > > > > > > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <[email protected]> wrote: > > > > > >> Highlights w.r.t. Cordova: > > >> > > >> 1. Application manifest JSON (yay!) [1]: > > >> > > >> 2. There is an Application interface now in charge of handling: > > >> - pause/resume/launch/terminate events > > >> - readonly parameters such as install time, origin, parameters, > update > > >> state (downloading, installing), package size > > >> - methods such as exit, hide, uninstall, update (interesting!) > > >> - related to update, the spec calls for the update firing > > >> asynchronously, reporting back progress events to the app. metaaaa > > >> 3. App Management interface, which is deemed as a "privileged" API, to > > get > > >> events about the (un)installation of other applications. > > >> > > >> Interesting "security" conclusions [2]: > > >> > > >> - scripts can only be loaded from inside the app package > > >> - no inline scripts, no eval > > >> - "Media (audio and video) can still be loaded from anywhere;" => this > > >> should inform our media APIs once we get to the audit and finally > > >> determine that the whitelist has no effect on media. This already > > applies > > >> to images on the web. > > >> - "Network connections can still be opened anywhere using data-centric > > >> APIs like XMLHttpRequest or WebSocket." => implication here is that > the > > >> whitelist is, really, useless (which has been my opinion always :D ) > > >> > > >> Related, I will be attending the SysApps Face to Face in madrid [3] > next > > >> month. If anyone from the Cordova community has specific issues that > > they > > >> would like to see addressed, let me know! > > >> > > >> [1] http://runtime.sysapps.org/#application-manifest > > >> [2] http://runtime.sysapps.org/#csp-policy > > >> [3] > http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda > > >> > > >> On 3/18/13 9:03 AM, "Giorgio Natili" <[email protected]> wrote: > > >> > > >> >It should be followed (I have had a quick look) but it depends what > > does > > >> >it means from a development point of view. > > >> >I mean that there is already a roadmap and that this draft should > > impact a > > >> >lot, so is up to the contributors trying to explain us how much > effort > > is > > >> >required. > > >> > > > >> >Giorgio > > >> > > > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <[email protected]> wrote: > > >> > > > >> >>Have a look: http://runtime.sysapps.org/ > > >> >> > > >> >>What do we think? > > >> > > > >> > > > >> > > >> > > >
