cess at all. This essentially would follow
suit with the idea that a different CSP policy can be applied by top level page
nav.
-Chuck
-Original Message-
From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve
Sent: Tuesday, February 24, 2015 7:18 PM
To: dev
Subject
dropped either now or sometime in the future.
>
> -Chuck
>
> -Original Message-
> From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew
> Grieve
> Sent: Tuesday, February 24, 2015 12:15 PM
> To: dev
> Subject: Re: Proposal for CSP support
>
> De
cy-whitelist gets dropped either now or
sometime in the future.
-Chuck
-Original Message-
From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve
Sent: Tuesday, February 24, 2015 12:15 PM
To: dev
Subject: Re: Proposal for CSP support
Definitely hoping that we can have a
ents like allow-navigation be introduced for iOS and
> other platforms as well?
>
> -Chuck
>
> -Original Message-
> From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew
> Grieve
> Sent: Tuesday, February 24, 2015 7:59 AM
> To: dev
> Subject
: dev
Subject: Re: Proposal for CSP support
I'm not sure allowing plugins to modify an apps security policy is a good idea
because CSP only really works when the dev understands it and puts thought into
it.
A build step for CSP might be tricky because we don't actually know which .html
f
; > gap
> > > > in the web standard as a whole.)
> > > >
> > > > 3. Eval is actually a bit tougher - I know when we've look at this in
> > the
> > > > past it impacted JS frameworks far more than inline did. (Ex: With
> > > Angular
&g
but it
> also
> > > could cause the default template to appear to "not work." If we omit
> the
> > > "unsafe-eval" directive in the CSP policy in the template we'll want to
> > be
> > > crystal clear on how to alter it. That could be so
> documentation and blog posts though.
> >
> > 4. I'd suggest we also consider the new "browser" platform here since
> > Chrome/Firefox/IE (as of Win 10) have support. Should be "free", but I'm
> > guessing the metadata tag injection you mention
we could
> probably just do all-up rather than only for specific platforms.
>
> -Chuck
>
> -Original Message-
> From: mmo...@google.com [mailto:mmo...@google.com] On Behalf Of Michal
> Mocny
> Sent: Thursday, February 19, 2015 2:25 PM
> To: dev
> Subject: Re: P
om [mailto:mmo...@google.com] On Behalf Of Michal Mocny
Sent: Thursday, February 19, 2015 2:25 PM
To: dev
Subject: Re: Proposal for CSP support
Thanks for this clear outline.
Jason, I know you've been working on the short-term items for a while as part
of your investigation, fixing things as you we
Thanks for this clear outline.
Jason, I know you've been working on the short-term items for a while as
part of your investigation, fixing things as you went -- what is the
current state of CSP support in platforms / plugins? What portion already
has fixes (or PR for them), what work is known but
I'm interested in full-blown support for CSP (Content Security Policy) in
Cordova. While we're close to having new and improved whitelist
functionality, there are gaps in what the whitelist is able to protect
against. In particular, inline script and eval() are higher risks that are
not addressed
12 matches
Mail list logo
