I think that A) is likely the feasible solution for 3.6.0. B) seems like a 4.0-scope project (but an interesting one; I hadn't considered it working in that direction) We'd probably spend a while debating the particulars -- I don't know if changing the CSP syntax is a good idea, or if we'd want an X-Navigation-Policy header of our own to play with -- but I think that a drastic change of direction like that would require a major version update if it's in core.
The other alternative I see (which goes back to the thread that Andrew linked) is to pull 1, 2, and 3 out of the core, and have plugins for all of it. What changes would we need to make to the plugin architecture to make that happen? On Tue, Aug 12, 2014 at 3:16 PM, Andrew Grieve <agri...@chromium.org> wrote: > A malicious XSS that navigates the page would probably opt to not include > cordova.js :P. > > So - I see there being three kinds of things to have whitelists for: > 1) Top-level navigations, > 2) intents (on supported platforms) > 3) resources / CSP-related requests. > > According to CSP docs here: > > https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives > You cannot use CSP to control 1). > > Right now the whitelist tries to cover 1) and 3), but I think from this > thread: http://markmail.org/thread/hbr5tlopbbl4pnl3 > That we agreed to change it to cover only 1), Although this conversation > will likely be more all-encompassing. > > Options for specifying 1), 2), 3): > A) Keep all three separate, with 1) and 2) in config.xml, and 3) in a > <meta> added by the user > B) Augment the CSP syntax with support for 1) and 2) (as Parashuram > suggested), and have cordova.js extract 1) and 2) out of the <meta>, which > is added by the user. Make the whitelists empty until cordova.js does the > extraction. > C) Have them all specified in config.xml, and have Cordova somehow enforce > 3) on page load. > > Another factor: What is put in config.xml is open to be modified by plugins > (for better or for worse). Might be useful, but I'm not sure of a concrete > use-case (maybe Camera plugin would need this?) > > As Ian pointed out, C) isn't really feasible on Android in all cases, but > I'm torn between A) and B). > > > > On Tue, Aug 12, 2014 at 11:59 AM, Michal Mocny <mmo...@chromium.org> > wrote: > > > Any page navigations have to include cordova.js, right? What about > > injecting the meta tag before deviceready? > > > > > > On Tue, Aug 12, 2014 at 11:54 AM, Ian Clelland <iclell...@chromium.org> > > wrote: > > > > > I love the idea of using CSP for this, especially because it handles > > things > > > that our whitelist intercept code can't, like <video> tags and > > WebSockets. > > > > > > The problem that I've found with it is that we can only enforce it for > > > single-page apps. We can inject our own CSP headers into the > > application's > > > start page very easily, but if the user can leave that page and load > > > another, then the headers will no longer apply. The WebView interface > > won't > > > let use add headers to subsequent pages, so it's up to the developer to > > > include them in a <meta> tag instead. (and malicious attackers, of > > course, > > > won't) > > > > > > For now, I would encourage devs to include that <meta> tag on *all* of > > the > > > pages in their apps, but we can't do it automatically. > > > > > > If it turns out that we can, then I'd be on board with including that > in > > > the 4.0 branch. It's a much better way to do it. Then we'd only need > the > > > second whitelist for launching intents, I think. > > > > > > Ian > > > > > > > > > On Tue, Aug 12, 2014 at 11:48 AM, Parashuram Narasimhan (MS OPEN TECH) > < > > > panar...@microsoft.com> wrote: > > > > > > > Had a quick question on the whitelists. I remember that there was > talk > > of > > > > using CSP to fix this issue. A CSP file may not be backward > compatible, > > > but > > > > could potentially just give us one list instead of 2 whitelists. The > > CSP > > > > file may be like the following > > > > > > > > Content-Security-Policy: > > > > script-src 'self', foo.com, bar.com > > > > img-src cdn.com > > > > intent-src mail, sms > > > > > > > > Note the new intent-src directive, that is basically used to launch > > > > external programs. Do you think this could be something we can look > at, > > > for > > > > 4.0 ? I am not sure if our whitelist xml file maps to a W3C spec, but > > CSP > > > > seems more like a standard. This is breaking, and 4.0 may be the > right > > > time > > > > to do it ? > > > > > > > > -----Original Message----- > > > > From: iclell...@google.com [mailto:iclell...@google.com] On Behalf > Of > > > Ian > > > > Clelland > > > > Sent: Tuesday, August 12, 2014 8:30 AM > > > > To: dev@cordova.apache.org > > > > Subject: Re: [Discuss] 3.6.0 Release > > > > > > > > I've created CB-7291 for the whitelist issue, and I've ported the > code > > > > from June to the new-style configuration architecture and committed > it > > > to a > > > > named CB-7291 branch on cordova-android. > > > > > > > > If anyone has any thoughts/opinions on the syntax or the proposal > > itself, > > > > or on what the defaults should be for new and upgrading applications, > > > > please chime in on the issue. > > > > > > > > > > > > > > > > On Mon, Aug 11, 2014 at 11:26 AM, Parashuram Narasimhan (MS OPEN > TECH) > > < > > > > panar...@microsoft.com> wrote: > > > > > > > > > I think we should also finalize on the platform switches so that we > > > > > all agree on a pattern (even if it is different across platforms). > > > > > This way, we can release 3.6.0 with a set of switches, and ensure > > that > > > > > it is backward compatible. > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: iclell...@google.com [mailto:iclell...@google.com] On Behalf > > Of > > > > > Ian Clelland > > > > > Sent: Monday, August 11, 2014 8:00 AM > > > > > To: dev@cordova.apache.org > > > > > Subject: Re: [Discuss] 3.6.0 Release > > > > > > > > > > I'll see about committing that today; I've had to reorganize it > quite > > > > > a bit after the Big Config Refactor. > > > > > > > > > > Joe, I'm pretty certain that your code is still in master, but > > > > > definitely add those tests to make sure, and to make sure we don't > > > > regress. > > > > > > > > > > Ian > > > > > > > > > > > > > > > On Mon, Aug 11, 2014 at 10:52 AM, Marcel Kinard < > cmarc...@gmail.com> > > > > > wrote: > > > > > > > > > > > I agree with Joe. > > > > > > > > > > > > On Aug 11, 2014, at 10:02 AM, Joe Bowser <bows...@gmail.com> > > wrote: > > > > > > > > > > > > > Let's not release until the new whitelist is figured out. That > > > > > > > feature > > > > > > is > > > > > > > too important. > > > > > > > > > > > > > > > > > > > > >
