Repository: cordova-plugin-whitelist Updated Branches: refs/heads/master 695006d5e -> 3903631b3
Update README.md Update some confusing comments. see: `Content-Security-Policy Examples` in http://content-security-policy.com/. This closes #8 Project: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/commit/3903631b Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/tree/3903631b Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/diff/3903631b Branch: refs/heads/master Commit: 3903631b3c9a882ee46d79ddf192fb7f4d326b9f Parents: 695006d Author: Luo Wen <[email protected]> Authored: Wed Jul 22 12:36:06 2015 +0800 Committer: Nikhil Khandelwal <[email protected]> Committed: Mon Oct 26 09:04:17 2015 -0700 ---------------------------------------------------------------------- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/blob/3903631b/README.md ---------------------------------------------------------------------- diff --git a/README.md b/README.md index bb46111..63517a0 100644 --- a/README.md +++ b/README.md @@ -130,13 +130,16 @@ Here are some example CSP declarations for your `.html` pages: --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> - <!-- Allow requests to foo.com --> + <!-- Allow everything but only from the same origin and foo.com --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> - <!-- Enable all requests, inline styles, and eval() --> + <!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that + * CSS only from the same origin and inline styles, + * scripts only from the same origin and inline styles, and eval() + --> <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> - <!-- Allow XHRs via https only --> + <!-- Allows XHRs only over HTTPS on the same domain. --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> <!-- Allow iframe to https://cordova.apache.org/ --> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
