While I respect the benefits I really doubt we can get rid of eval and inline scripts ever. Thats the nature of the web.
Subsequent efforts that forget this facet of the web and pretend to fix the issue have thus far tended to fail. In any case, we are unable to fix this issue unless we start shipping a browser, which we're not going to do anytime soon if ever at all. On Wed, Mar 20, 2013 at 2:23 PM, Filip Maj <[email protected]> wrote: > Ah thanks for clarifying > > On 3/20/13 2:17 PM, "Andrew Lunny" <[email protected]> wrote: > >>On 20 March 2013 13:54, Filip Maj <[email protected]> wrote: >> >>> Actually dude talks about CSP 1.1 supporting whitelisting of inline >>> scripts ? >>> >> >>The relevant bit in the CSP spec is: >>http://www.w3.org/TR/CSP/#script-src >> >>tldr: servers can send CSPs (policies) that do allow inline scripts, but >>the policy specified by sysapps[1] does not. >> >>[1] default-src *; script-src 'self'; object-src 'none'; style-src 'self' >> >> >>> >>> On 3/20/13 8:39 AM, "Andrew Grieve" <[email protected]> wrote: >>> >>> >This recent security talk talks about why inline scripts are on the way >>> >out: >>> >https://www.youtube.com/watch?feature=player_embedded&v=WljJ5guzcLs >>> > >>> >A good amount of the spec deals with application distribution, which is >>> >out >>> >of our hands when talking about App Stores. >>> > >>> >It uses a separate AppCache manifest to define what files are in the >>> >bundle. Does this not imply that the whitelist is still in effect via >>>the >>> >Network: section of the AppCache manifest? >>> > >>> > >>> > >>> > >>> > >>> >On Wed, Mar 20, 2013 at 10:10 AM, Braden Shepherdson >>> ><[email protected]>wrote: >>> > >>> >> On the subject of no inline scripts or eval, this is used in the new >>>v2 >>> >> Chrome Apps too. It eliminates a wide spectrum of security risks at a >>> >> stroke, though it does require changing some of the older web dev >>> >>practices >>> >> (onclick="whatever", primarily). If you're already attaching handlers >>> >>using >>> >> jQuery, or using something like AngularJS, this is no change. >>> >> >>> >> Only loading scripts from inside the app package, I'm not sure. It >>> >> eliminates the possibility of using a CDN, but the caching benefits >>>of >>> >>that >>> >> are inferior to shipping the files in the bundle. >>> >> >>> >> Braden >>> >> >>> >> >>> >> On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <[email protected]> wrote: >>> >> >>> >> > Ok, picking this up again. At the working group Fil it would be >>>good >>> >> > to give our feedback on the manifest as it has related to the >>>Cordova >>> >> > reality. >>> >> > >>> >> > I really dislike: >>> >> > >>> >> > - scripts can only be loaded from inside the app package >>> >> > - no inline scripts, no eval >>> >> > >>> >> > I really like the idea of killing the whitelist feature.. >>> >> > >>> >> > >>> >> > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <[email protected]> >>> >> wrote: >>> >> > > Thanks for the highlights Fil. Makes for easier reading! >>> >> > > >>> >> > > >>> >> > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <[email protected]> wrote: >>> >> > > >>> >> > >> Highlights w.r.t. Cordova: >>> >> > >> >>> >> > >> 1. Application manifest JSON (yay!) [1]: >>> >> > >> >>> >> > >> 2. There is an Application interface now in charge of handling: >>> >> > >> - pause/resume/launch/terminate events >>> >> > >> - readonly parameters such as install time, origin, >>>parameters, >>> >> update >>> >> > >> state (downloading, installing), package size >>> >> > >> - methods such as exit, hide, uninstall, update (interesting!) >>> >> > >> - related to update, the spec calls for the update firing >>> >> > >> asynchronously, reporting back progress events to the app. >>>metaaaa >>> >> > >> 3. App Management interface, which is deemed as a "privileged" >>> >>API, to >>> >> > get >>> >> > >> events about the (un)installation of other applications. >>> >> > >> >>> >> > >> Interesting "security" conclusions [2]: >>> >> > >> >>> >> > >> - scripts can only be loaded from inside the app package >>> >> > >> - no inline scripts, no eval >>> >> > >> - "Media (audio and video) can still be loaded from anywhere;" >>>=> >>> >>this >>> >> > >> should inform our media APIs once we get to the audit and >>>finally >>> >> > >> determine that the whitelist has no effect on media. This >>>already >>> >> > applies >>> >> > >> to images on the web. >>> >> > >> - "Network connections can still be opened anywhere using >>> >>data-centric >>> >> > >> APIs like XMLHttpRequest or WebSocket." => implication here is >>>that >>> >> the >>> >> > >> whitelist is, really, useless (which has been my opinion always >>>:D >>> >>) >>> >> > >> >>> >> > >> Related, I will be attending the SysApps Face to Face in madrid >>>[3] >>> >> next >>> >> > >> month. If anyone from the Cordova community has specific issues >>> >>that >>> >> > they >>> >> > >> would like to see addressed, let me know! >>> >> > >> >>> >> > >> [1] http://runtime.sysapps.org/#application-manifest >>> >> > >> [2] http://runtime.sysapps.org/#csp-policy >>> >> > >> [3] >>> >> http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda >>> >> > >> >>> >> > >> On 3/18/13 9:03 AM, "Giorgio Natili" <[email protected]> >>> wrote: >>> >> > >> >>> >> > >> >It should be followed (I have had a quick look) but it depends >>> >>what >>> >> > does >>> >> > >> >it means from a development point of view. >>> >> > >> >I mean that there is already a roadmap and that this draft >>>should >>> >> > impact a >>> >> > >> >lot, so is up to the contributors trying to explain us how much >>> >> effort >>> >> > is >>> >> > >> >required. >>> >> > >> > >>> >> > >> >Giorgio >>> >> > >> > >>> >> > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <[email protected]> wrote: >>> >> > >> > >>> >> > >> >>Have a look: http://runtime.sysapps.org/ >>> >> > >> >> >>> >> > >> >>What do we think? >>> >> > >> > >>> >> > >> > >>> >> > >> >>> >> > >> >>> >> > >>> >> >>> >>> >
