CB-10646 Platform specific icons not copied to xcode project - fix issue in prepare.js - adding tests for 'platform add'
Project: http://git-wip-us.apache.org/repos/asf/cordova-osx/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-osx/commit/8ac659c7 Tree: http://git-wip-us.apache.org/repos/asf/cordova-osx/tree/8ac659c7 Diff: http://git-wip-us.apache.org/repos/asf/cordova-osx/diff/8ac659c7 Branch: refs/heads/master Commit: 8ac659c7204751a91917eb823bf4d4ff9fd1a607 Parents: 22cba9e Author: Tobias Bocanegra <tri...@adobe.com> Authored: Thu Feb 18 13:34:37 2016 -0800 Committer: Tobias Bocanegra <tri...@adobe.com> Committed: Thu Feb 18 13:36:09 2016 -0800 ---------------------------------------------------------------------- bin/templates/scripts/cordova/lib/prepare.js | 2 +- package.json | 2 +- tests/cdv-test-project/.gitignore | 1 + tests/cdv-test-project/config.xml | 38 ++++ tests/cdv-test-project/hooks/README.md | 23 +++ .../cordova-plugin-whitelist/CONTRIBUTING.md | 37 ++++ .../plugins/cordova-plugin-whitelist/LICENSE | 202 +++++++++++++++++++ .../plugins/cordova-plugin-whitelist/NOTICE | 5 + .../plugins/cordova-plugin-whitelist/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/RELEASENOTES.md | 51 +++++ .../cordova-plugin-whitelist/doc/de/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/es/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/fr/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/it/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/ja/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/ko/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/pl/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/doc/zh/README.md | 148 ++++++++++++++ .../cordova-plugin-whitelist/package.json | 28 +++ .../plugins/cordova-plugin-whitelist/plugin.xml | 53 +++++ .../src/android/WhitelistPlugin.java | 161 +++++++++++++++ .../cordova-plugin-whitelist/whitelist.js | 27 +++ tests/cdv-test-project/plugins/fetch.json | 10 + tests/cdv-test-project/plugins/osx.json | 15 ++ tests/cdv-test-project/res/test-64x64.png | Bin 0 -> 3641 bytes tests/cdv-test-project/www/css/index.css | 115 +++++++++++ tests/cdv-test-project/www/img/logo.png | Bin 0 -> 21814 bytes tests/cdv-test-project/www/index.html | 49 +++++ tests/cdv-test-project/www/js/index.js | 51 +++++ tests/spec/platform.spec.js | 80 ++++++++ 30 files changed, 2280 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/bin/templates/scripts/cordova/lib/prepare.js ---------------------------------------------------------------------- diff --git a/bin/templates/scripts/cordova/lib/prepare.js b/bin/templates/scripts/cordova/lib/prepare.js index c28f91c..2d9c744 100644 --- a/bin/templates/scripts/cordova/lib/prepare.js +++ b/bin/templates/scripts/cordova/lib/prepare.js @@ -211,7 +211,7 @@ function handleBuildSettings(platformConfig, locations) { function handleIcons(projectConfig, platformRoot) { // Update icons - var icons = projectConfig.getIcons('ios'); + var icons = projectConfig.getIcons('osx'); var appRoot = path.dirname(projectConfig.path); // See https://developer.apple.com/library/mac/documentation/UserExperience/Conceptual/OSXHIGuidelines/Designing.html http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/package.json ---------------------------------------------------------------------- diff --git a/package.json b/package.json index 344b64a..5113a80 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "test": "npm run jshint && npm run jasmine", "jasmine": "npm run objc-tests && npm run jasmine-tests", "objc-tests": "jasmine-node --captureExceptions --color tests/spec/cordovalib.spec.js", - "jasmine-tests": "jasmine-node --captureExceptions --color tests/spec/create.spec.js", + "jasmine-tests": "jasmine-node --captureExceptions --color tests/spec/create.spec.js tests/spec/platform.spec.js", "jshint": "node node_modules/jshint/bin/jshint bin && node node_modules/jshint/bin/jshint tests" }, "author": "Apache Software Foundation", http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/.gitignore ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/.gitignore b/tests/cdv-test-project/.gitignore new file mode 100644 index 0000000..1cfe9bb --- /dev/null +++ b/tests/cdv-test-project/.gitignore @@ -0,0 +1 @@ +platforms http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/config.xml ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/config.xml b/tests/cdv-test-project/config.xml new file mode 100644 index 0000000..d3a8bc4 --- /dev/null +++ b/tests/cdv-test-project/config.xml @@ -0,0 +1,38 @@ +<?xml version='1.0' encoding='utf-8'?> +<widget id="org.apache.cordova.test" version="0.0.1" xmlns="http://www.w3.org/ns/widgets"; xmlns:cdv="http://cordova.apache.org/ns/1.0";> + <name>HelloCordova</name> + <description> + A sample Apache Cordova application that responds to the deviceready event. + This project is used for testing adding the OSX platform. + </description> + <author email="d...@cordova.apache.org" href="http://cordova.io";> + Apache Cordova Team + </author> + <content src="index.html" /> + <plugin name="cordova-plugin-whitelist" spec="1" /> + <access origin="*" /> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + <allow-intent href="tel:*" /> + <allow-intent href="sms:*" /> + <allow-intent href="mailto:*"; /> + <allow-intent href="geo:*" /> + <platform name="android"> + <allow-intent href="market:*" /> + </platform> + <platform name="ios"> + <allow-intent href="itms:*" /> + <allow-intent href="itms-apps:*" /> + </platform> + + <!-- icons for test (note that we use the same file for all sizes) --> + <platform name="osx"> + <icon src="res/test-64x64.png" width="16" height="16" /> + <icon src="res/test-64x64.png" width="32" height="32" /> + <icon src="res/test-64x64.png" width="64" height="64" /> + <icon src="res/test-64x64.png" width="128" height="128" /> + <icon src="res/test-64x64.png" width="256" height="256" /> + <icon src="res/test-64x64.png" width="512" height="512" /> + </platform> + +</widget> http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/hooks/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/hooks/README.md b/tests/cdv-test-project/hooks/README.md new file mode 100644 index 0000000..574ad4c --- /dev/null +++ b/tests/cdv-test-project/hooks/README.md @@ -0,0 +1,23 @@ +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--> +# Cordova Hooks + +Cordova Hooks represent special scripts which could be added by application and plugin developers or even by your own build system to customize cordova commands. See Hooks Guide for more details: http://cordova.apache.org/docs/en/edge/guide_appdev_hooks_index.md.html#Hooks%20Guide. http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/CONTRIBUTING.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/CONTRIBUTING.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/CONTRIBUTING.md new file mode 100644 index 0000000..7de4c64 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/CONTRIBUTING.md @@ -0,0 +1,37 @@ +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--> + +# Contributing to Apache Cordova + +Anyone can contribute to Cordova. And we need your contributions. + +There are multiple ways to contribute: report bugs, improve the docs, and +contribute code. + +For instructions on this, start with the +[contribution overview](http://cordova.apache.org/contribute/). + +The details are explained there, but the important items are: + - Sign and submit an Apache ICLA (Contributor License Agreement). + - Have a Jira issue open that corresponds to your contribution. + - Run the tests so your patch doesn't break existing functionality. + +We look forward to your contributions! http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/LICENSE ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/LICENSE b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/LICENSE new file mode 100644 index 0000000..7a4a3ea --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/NOTICE ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/NOTICE b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/NOTICE new file mode 100644 index 0000000..8ec56a5 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/NOTICE @@ -0,0 +1,5 @@ +Apache Cordova +Copyright 2012 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/README.md new file mode 100644 index 0000000..e846991 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0 + +:warning: Report issues on the [Apache Cordova issue tracker](https://issues.apache.org/jira/issues/?jql=project%20%3D%20CB%20AND%20status%20in%20%28Open%2C%20%22In%20Progress%22%2C%20Reopened%29%20AND%20resolution%20%3D%20Unresolved%20AND%20component%20%3D%20%22Plugin%20Whitelist%22%20ORDER%20BY%20priority%20DESC%2C%20summary%20ASC%2C%20updatedDate%20DESC) + + +## Supported Cordova Platforms + +* Android 4.0.0 or above + +## Navigation Whitelist +Controls which URLs the WebView itself can be navigated to. Applies to +top-level navigations only. + +Quirks: on Android it also applies to iframes for non-http(s) schemes. + +By default, navigations only to `file://` URLs, are allowed. To allow others URLs, you must add `<allow-navigation>` tags to your `config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + +## Intent Whitelist +Controls which URLs the app is allowed to ask the system to open. +By default, no external URLs are allowed. + +On Android, this equates to sending an intent of type BROWSEABLE. + +This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`. + +In `config.xml`, add `<allow-intent>` tags, like this: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + +## Network Request Whitelist +Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks). + +Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP. + +In `config.xml`, add `<access>` tags, like this: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + +Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `<access origin="*">` by default. + +Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly. + +### Content Security Policy +Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly). + +On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag on all of your pages. + +On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView). + +Here are some example CSP declarations for your `.html` pages: + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow everything but only from the same origin and foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that + * CSS only from the same origin and inline styles, + * scripts only from the same origin and inline styles, and eval() + --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allows XHRs only over HTTPS on the same domain. --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/RELEASENOTES.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/RELEASENOTES.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/RELEASENOTES.md new file mode 100644 index 0000000..c2ef06c --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/RELEASENOTES.md @@ -0,0 +1,51 @@ +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--> +# Release Notes + +### 1.2.1 (Jan 15, 2016) +* CB-10194 info tag prints for ios when not applicable + +### 1.2.0 (Nov 18, 2015) +* removed **iOS** engine check from `plugin.xml` +* [CB-10035](https://issues.apache.org/jira/browse/CB-10035) Updated `RELEASENOTES` to be newest to oldest +* [CB-9972](https://issues.apache.org/jira/browse/CB-9972) - Remove **iOS** whitelist +* Updated the text, it should read 4.0.x and greater, since this plugin will be required for `cordova-android 5.0` +* Fixing contribute link. +* Updated `plugin.xml <info>` tag to remove warning about not needing this plugin if you are using the **iOS 9 SDK** +* [CB-9738](https://issues.apache.org/jira/browse/CB-9738) - Disable whitelist use when runtime environment is **iOS 9** +* [CB-9740](https://issues.apache.org/jira/browse/CB-9740) - Add `<info>` tag describing whitelist plugin not needed on `cordova-ios` and cordova-android 3.x` +* [CB-9568](https://issues.apache.org/jira/browse/CB-9568) - Update whitelist plugin to allow all network access by default +* [CB-9337](https://issues.apache.org/jira/browse/CB-9337) - enable use of `<access>` tags for native code network requests + +### 1.1.0 (Jun 17, 2015) +* [CB-9128](https://issues.apache.org/jira/browse/CB-9128) cordova-plugin-whitelist documentation translation: cordova-plugin-whitelist +* fix npm md issue +* Usage of CDVURLRequestFilter protocol. +* [CB-9089](https://issues.apache.org/jira/browse/CB-9089) - iOS whitelist plugin does not compile +* [CB-9090](https://issues.apache.org/jira/browse/CB-9090) - Enable whitelist plugin for cordova-ios 4.0.0 +* Fixed error in Content-Security-Policy example + +### 1.0.0 (Mar 25, 2015) +* [CB-8739](https://issues.apache.org/jira/browse/CB-8739) added missing license headers +* Add @Override to CustomConfigXmlParser methods +* Change ID to cordova-plugin-whitelist rather than reverse-DNS-style +* Tweak CSP examples in README +* [CB-8660](https://issues.apache.org/jira/browse/CB-8660) remove extra commas from package.json http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/de/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/de/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/de/README.md new file mode 100644 index 0000000..e97eaa6 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/de/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Dieses Plugin implementiert eine Whitelist-Politik für die Navigation in der Anwendung Webview Cordova 4.0 + +## Cordova unterstützte Plattformen + + * Android 4.0.0 oder höher + * iOS 4.0.0 oder höher + +## Navigation-Whitelist + +Steuert, welche URLs die WebView selbst zu navigiert werden kann. Bezieht sich auf der obersten Ebene Navigationen nur. + +Macken: auf Android es gilt auch für Iframes für nicht-http(s) Systeme. + +In der Standardeinstellung Navigationen nur auf `file://` URLs, sind zulässig. Wenn andere andere URLs zulassen möchten, müssen Sie Ihre `"config.xml"` `<allow-navigation>` Markierungen hinzufügen: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## Vorsatz-Whitelist + +Steuert, welche URLs die app zulässig ist, um das System zu öffnen Fragen. StandardmäÃig dürfen keine externe URLs. + +Das entspricht auf Android eine Absicht des Typs BROWSEABLE senden. + +Diese Whitelist gilt nicht für Plugins, nur Hyperlinks und Aufrufe von `window.open()`. + +Fügen Sie in `"config.xml"` `<allow-intent>` Tags hinzu, wie folgt: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Netzwerk-Anforderung-Whitelist + +Steuert, welche-Anforderungen Netzwerk (Bilder, XHRs, etc.) dürfen (über Cordova native Haken) erfolgen. + +Hinweis: Wir empfehlen Ihnen eine Content Security Policy (siehe unten), das ist sicherer. Diese Whitelist ist vor allem historisch für Webansichten für die CSP nicht unterstützen. + +Fügen Sie in `"config.xml"` `<access>` Tags hinzu, wie folgt: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Ohne `<access>` -Tags dürfen nur Anforderungen an `file://` URLs. Enthält jedoch die Standardanwendung Cordova `<access origin="*">` standardmäÃig. + +Eigenart: Android kann auch Anforderungen an https://ssl.gstatic.com/accessibility/javascript/android/ standardmäÃig, da dies für TalkBack ordnungsgemäà erforderlich ist. + +### Content-Security-Policy + +Steuert, welche-Anforderungen Netzwerk (Bilder, XHRs, etc.) dürfen (über Webview direkt) erfolgen. + +Auf Android und iOS ist die Netzwerk Anfrage Whitelist (s.o.) nicht in der Lage, alle Arten von Anfragen (z.B. `< video >` & WebSockets nicht blockiert) filtern. Also, sollten Sie neben der Whitelist, [Content Security Policy](http://content-security-policy.com/) `< Meta >` -Tags auf allen Ihren Seiten verwenden. + +Auf Android Unterstützung für CSP innerhalb der System-Webview beginnt mit KitKat (aber ist in allen Versionen mit Crosswalk WebView verfügbar). + +Hier sind einige Beispiel-CSP-Deklarationen für Ihre `HTML` -Seiten: + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/es/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/es/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/es/README.md new file mode 100644 index 0000000..b3e4684 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/es/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Este plugin implementa una polÃtica de lista blanca para navegar la aplicación webview en Cordova 4.0 + +## Plataformas soportadas Cordova + + * Android 4.0 o superior + * iOS 4.0.0 o superior + +## Lista blanca de navegación + +Controla que las URLs del WebView se puede navegar a. Se aplica a nivel superior navegaciones solo. + +Peculiaridades: en Android también se aplica a iframes para esquemas que son de http (s). + +Por defecto, navegaciones solo a direcciones URL `file://` , son permitidas. Para permitir que otros otras URL, debe agregar `< allow-navegación >` etiquetas en el `archivo config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## Intención de lista blanca + +Controla qué URLs de la aplicación se permite hacer el sistema para abrir. De forma predeterminada, se permiten ninguà n external URLs. + +En Android, esto equivale a enviar una intención de tipo BROWSEABLE. + +Esta lista blanca no se aplica a plugins, sólo los hipervÃnculos y las llamadas a `window.Open)`. + +En `config.xml`, agregar etiquetas `< allow-intent >` , como este: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Solicitud de red blanca + +Controles que las peticiones de la red (imágenes, XHRs, etc.) se les permite hacer (a través de ganchos nativa de Córdoba). + +Nota: Le sugerimos que utilice una polÃtica de seguridad de contenido (véase abajo), que es más seguro. Esta lista blanca es sobre todo histórico para webviews que no admiten la CSP. + +En `config.xml`, agregue etiquetas de `< access >` , como este: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Sin las etiquetas `< access >` , se admiten sólo las solicitudes a direcciones URL `file://` . Sin embargo, la aplicación por defecto de Cordova incluye `< access origin = "*" >` por defecto. + +Quirk: Android también permite las solicitudes de https://ssl.gstatic.com/accessibility/javascript/android/ por defecto, puesto que es necesario para TalkBack funcionar correctamente. + +### PolÃtica de seguridad de contenido + +Controles que las peticiones de la red (imágenes, XHRs, etc.) se les permite hacer (vÃa webview directamente). + +En iOS y Android, la red solicitud lista blanca (véase arriba) no es capaz de filtrar todos los tipos de solicitudes (por ejemplo, `< video >` y WebSockets no estén bloqueadas). AsÃ, además de la lista blanca, usted debe utilizar una etiqueta `< meta >` de [Contenido la polÃtica de seguridad](http://content-security-policy.com/) en todas las páginas. + +En Android, soporte para CSP en el sistema webview comienza con KitKat (pero está disponible en todas las versiones con WebView de paso de peatones). + +Aquà están algunas declaraciones de CSP de ejemplo para las páginas `.html` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/fr/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/fr/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/fr/README.md new file mode 100644 index 0000000..2a8c4b7 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/fr/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Ce plugin met en Åuvre une politique de liste blanche pour naviguer le webview application sur Cordova 4.0 + +## Plates-formes prises en charge Cordova + + * 4.0.0 Android ou supérieur + * iOS 4.0.0 ou supérieur + +## Navigation liste blanche + +Contrôle quels URL le WebView lui-même peut être parcourus à . S'applique à des navigations niveau supérieur seulement. + +Particularités : sur Android il s'applique également aux iframes pour non-schémas http (s). + +Par défaut, navigations qu'aux URL `file://` , sont autorisés. Pour permettre aux autres d'autres URL, vous devez ajouter des balises `<allow-navigation>` à votre `fichier config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## Intent Whitelist + +Contrôle quels URL l'app n'est autorisé à poser le système d'ouverture. Par défaut, aucun external URL est autorisés. + +Sur Android, cela équivaut à envoyer une intention de type BROWSEABLE. + +Cette autorisation ne s'applique pas aux plugins, uniquement les liens hypertexte et les appels à `window.open()`. + +Dans le `fichier config.xml`, ajouter des balises `<allow-intent>` , comme ceci : + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Réseau demande liste blanche + +Les contrôles dont les demandes de réseau (images, XHRs, etc.) sont autorisés à effectuer (via cordova natif crochets). + +Remarque : Nous vous suggérons de qu'utiliser un contenu politique de sécurité (voir ci-dessous), qui est plus sûr. Cette liste blanche est surtout historique pour webviews qui ne prennent pas en charge les CSP. + +Dans le `fichier config.xml`, ajouter des balises `<access>` , comme ceci : + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Sans les balises `<access>` , seules les demandes d'URL `file://` sont autorisés. Toutefois, l'application de Cordoue par défaut inclut `<access origin="*" >` par défaut. + +Bizarrerie : Android permet également aux requêtes à https://ssl.gstatic.com/accessibility/javascript/android/ par défaut, puisque c'est nécessaire pour TalkBack fonctionner correctement. + +### Politique de sécurité du contenu + +Les contrôles dont les demandes de réseau (images, XHRs, etc.) sont autorisés à effectuer (via webview directement). + +Sur Android et iOS, la réseau demande liste blanche (voir ci-dessus) n'est pas en mesure de filtrer tous les types de demandes (p. ex. `< video >` & WebSockets ne sont pas bloquées). Ainsi, en plus de la liste blanche, vous devez utiliser une balise `< meta >` de [Contenu politique de sécurité](http://content-security-policy.com/) sur toutes vos pages. + +Sur Android, support pour le CSP dans le système webview commence par KitKat (mais n'est disponible sur toutes les versions à l'aide du tableau de concordance WebView). + +Voici quelques exemples de déclarations de CSP pour vos pages `.html` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/it/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/it/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/it/README.md new file mode 100644 index 0000000..157dc03 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/it/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Questo plugin attua una politica di whitelist per spostarsi all'interno dell'applicazione webview in Cordova 4.0 + +## Piattaforme supportate Cordova + + * Android 4.0.0 o superiore + * iOS 4.0.0 o superiore + +## Navigazione Whitelist + +Controlla quali URL WebView stessa può essere esplorato. Si applica al solo primo livello navigazioni. + +Stranezze: su Android vale anche per gli iframe per non-schemi di http (s). + +Per impostazione predefinita, navigazioni solo agli URL `file://` , sono ammessi. Per consentire altri altri URL, è necessario aggiungere `<allow-navigation>` tag per il tuo `config. XML`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## Whitelist intento + +Controlla quali URL app è consentito richiedere il sistema di apertura. Per impostazione predefinita, nessun esterno URL sono ammessi. + +Su Android, ciò equivale all'invio di un intento di tipo BROWSEABLE. + +Questa whitelist non si applica ai plugin, solo i collegamenti ipertestuali e chiamate a `Window`. + +In `config. XML`, aggiungere tag `<allow-intent>` , simile al seguente: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Rete richiesta Whitelist + +Controlli che le richieste di rete (immagini, XHRs, ecc.) sono consentiti (tramite ganci nativo di cordova). + +Nota: Si consiglia di che utilizzare un criterio di protezione contenuti (Vedi sotto), che è più sicuro. La whitelist è principalmente storico per visualizzazioni Web che non supportano la CSP. + +In `config. XML`, aggiungere tag `< access >` , simile al seguente: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Senza qualsiasi tag `< access >` , sono consentite solo le richieste di URL `file://` . Tuttavia, l'applicazione di Cordova predefinito include `< access origin = "*" >` per impostazione predefinita. + +Stranezza: Android consente anche alle richieste di https://ssl.gstatic.com/accessibility/javascript/android/ per impostazione predefinita, poiché questa operazione è necessaria per TalkBack funzionare correttamente. + +### Politica di sicurezza del contenuto + +Controlli che le richieste di rete (immagini, XHRs, ecc.) possono essere effettuate (via webview direttamente). + +Su Android e iOS, la rete richiesta whitelist (Vedi sopra) non è in grado di filtrare tutti i tipi di richieste (ad esempio non sono bloccate `< video >` & WebSockets). Così, oltre alla whitelist, è necessario utilizzare un tag `< meta >` [Content Security Policy](http://content-security-policy.com/) su tutte le pagine. + +Su Android, supporto per CSP all'interno webview sistema inizia con KitKat (ma è disponibile su tutte le versioni usando Crosswalk WebView). + +Ecco alcuni esempi di dichiarazioni di CSP per le pagine `HTML` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ja/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ja/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ja/README.md new file mode 100644 index 0000000..6db17f1 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ja/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +ãã®ãã©ã°ã¤ã³å®è£ ã³ã«ãã 4.0 ã¢ããªã±ã¼ã·ã§ã³ webview ãããã²ã¼ãããããã®ãã¯ã¤ã ãªã¹ã ããªã·ã¼ + +## ãµãã¼ãããã¦ããã³ã«ããã®ãã©ãããã©ã¼ã + + * ã¢ã³ããã¤ã 4.0.0 ä»¥ä¸ + * iOS 4.0.0 ä»¥ä¸ + +## ããã²ã¼ã·ã§ã³ã®ãã¯ã¤ã ãªã¹ã + +WebView èªä½ã«ç§»åã« Url ãå¶å¾¡ãã¾ããæä¸ä½ããã²ã¼ã·ã§ã³ã®ã¿ã«é©ç¨ããã¾ãã + +ç: Android ã«ãã«é©ç¨ããã¾ãã® iframe é-[http ã¹ãã¼ã ã + +æ¢å®ã§ã¯ãããã²ã¼ã·ã§ã³ã `file://`ã® Url ã«ã®ã¿è¨±å¯ããã¾ãããã®ä»ã®ä»ã® Url ã許å¯ããããã«ã `config.xml`ã«`<allow-navigation>`ã¿ã°ã追å ããå¿ è¦ãããã¾ãã + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## ã¤ã³ãã³ãã®ãã¯ã¤ã ãªã¹ã + +ã©ã® Url ãéãããã«ã·ã¹ãã ãèãã¦ãã¢ããªã«è¨±å¯ãå¶å¾¡ãã¾ãã æ¢å®ã§ã¯ãå¤é¨ Url 許å¯ããã¾ããã + +人é 人éãããã¯å BROWSEABLE ã®æå³ãéä¿¡ãããã¨ã«ç¸å½ãã¾ãã + +ãã®ãã¯ã¤ã ãªã¹ãã¯ãã©ã°ã¤ã³ã®ã¿ãã¤ãã¼ãªã³ã¯ããã³`window.open()`ã¸ã®å¼ã³åºãã«ã¯é©ç¨ããã¾ããã. + +`Config.xml`å ã®`<allow-intent>`ã¿ã°ã¯ããã®ãããªã追å ãã¾ãã + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## ãããã¯ã¼ã¯è¦æ±ã®ãã¯ã¤ã ãªã¹ã + +ãããã¯ã¼ã¯è¦æ±ã³ã³ããã¼ã« (ç»åãXHRs ç) (ã³ã«ãã ãã¤ãã£ã ããã¯) ãä»ãã¦è¡ããããã¨ãã + +注: ããå®å ¨ãªã³ã³ãã³ã ã»ãã¥ãªã㣠ããªã·ã¼ (ä¸è¨åç §) ã使ç¨ãã¦ãå§ããã¾ãã ãã®ãã¯ã¤ã ãªã¹ãã»ã¨ãã©ã® CSP ããµãã¼ããã¦ããªã web 表示ã®ããã«æ´å²çã§ãã + +`Config.xml`å ã®ãã®ãããª`<access>`ã¿ã°ã追å ãã¾ãã + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +`<access>`ã¿ã°ããªã`file://` Url ã«è¦æ±ã®ã¿ã許å¯ãã¾ãã ãã ããæ¢å®ã®ã³ã«ãã ã¢ããªã±ã¼ã·ã§ã³ãå«ã¾ãã¦ãã¾ã`<access origin="*">`ããã©ã«ãã§ã + +æ°ã¾ãã: ã¢ã³ããã¤ããè¦æ±ã§ãã¾ã https://ssl.gstatic.com/accessibility/javascript/android/ããã©ã«ãã§ã¯ããã¼ã¯ãæ£å¸¸ã«æ©è½ããããã«å¿ è¦ã§ãã®ã§ã + +### ã³ã³ãã³ãã®ã»ãã¥ãªã㣠ããªã·ã¼ + +ãããã¯ã¼ã¯è¦æ±ã³ã³ããã¼ã« (ç»åãXHRs ç) (ç´æ¥ webview) ãä»ãã¦è¡ããããã¨ãã + +Android 㨠iOS ã¯ããããã¯ã¼ã¯è¦æ±ãã¯ã¤ã ãªã¹ã (ä¸è¨åç §) ã¯ãã¹ã¦ã®ç¨®é¡ã®è¦æ± (ä¾: `< ãã㪠>` & Websocket ããµãããã¦ããªã) ããã£ã«ã¿ã¼å¦çã§ãã¾ããã ã ããããã¯ã¤ã ãªã¹ãã«å ãã¦ãã¹ã¦ã®ãã¼ã¸ã«[ã³ã³ãã³ã ã»ãã¥ãªã㣠ããªã·ã¼](http://content-security-policy.com/) `< meta >`ã¿ã°ã使ç¨ããå¿ è¦ãããã¾ãã + +Android ä¸ã·ã¹ãã webview å CSP ãµãã¼ã ãããã«ããããå§ã¾ãã¾ã (ããã横ææ©é WebView ã使ç¨ãã¦ãã¹ã¦ã®ãã¼ã¸ã§ã³ã§å©ç¨å¯è½ã§ã)ã + +`.Html`ãã¼ã¸ã®ããã¤ãã®ä¾ CSP ã®å®£è¨ã¯æ¬¡ã®ã¨ããã§ãã + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ko/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ko/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ko/README.md new file mode 100644 index 0000000..4cbae91 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/ko/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +ì´ íë¬ê·¸ì¸ 구í ì½ë¥´ëë° 4.0 ìì© íë¡ê·¸ë¨ webview를 íìì ë í íì© ì ì± + +## ì§ìë ì½ë¥´ëë° íë«í¼ + + * ì ë ë¡ì´ë 4.0.0 ì´ì + * iOS 4.0.0 ì´ì + +## íì íì© + +WebView ìì²´ê° íìí ì ìë Urlì ì ì´ í©ëë¤. ìµìì íììë§ ì ì© ë©ëë¤. + +ë¨ì : ì ë ë¡ì´ëìë ì ì© ë©ëë¤ iframeì ë í ë¹-íë¡í ì½ì¸ ê³í. + +기본ì ì¼ë¡ íì `file://` Urlìë§ ì¬ì©í ì ììµëë¤. ë¤ë¥¸ ë¤ë¥¸ Urlì íì© íë ¤ë©´ `config.xml`ì `< allow-navigation >` í그를 ì¶ê° í´ì¼ í©ëë¤. + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## ìë íì© + +App ìì¤í ì´ì ê² íì© ëë Urlì ì ì´ í©ëë¤. 기본ì ì¼ë¡ ì¸ë¶ Urlì ì¬ì©í ì ììµëë¤. + +ì ë ë¡ì´ëìì´ íìì BROWSEABLE ìë ë³´ë´ë ê² ê°ìµëë¤. + +ì´ íì© ë íë¬ê·¸ì¸, íì´í¼ë§í¬ ë° `window.open ()` í¸ì¶ì ì ì© ëì§ ììµëë¤.. + +`Config.xml`ìì´ ê°ì `< allow-intent >` í그를 ì¶ê° í©ëë¤. + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## ë¤í¸ìí¬ ìì² íì© + +ìì²ì ë¤í¸ìí¬ ì»¨í¸ë¡¤ (ì´ë¯¸ì§, XHRs, ë±) (ì½ë¥´ëë° ë¤ì´í°ë¸ íí¬)를 íµí´ í ì ììµëë¤. + +ì°¸ê³ : ë¹ì ì´ ì¬ì© ì½í ì¸ ë³´ì ì ì± (ìë 참조), ë ìì í ê²ì´ ì¢ìµëë¤. ì´ íì©ì CSP를 ì§ì íì§ ìë webviewsì ë í ìì¬ì . + +`Config.xml`ìì´ ê°ì `< access >` í그를 ì¶ê° í©ëë¤. + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +ì´ë¤ `< access >` íê·¸ ìì´ ìì² `file://` Url ì¬ì©í ì ììµëë¤. ê·¸ë¬ë 기본 ì½ë¥´ëë° ìì© íë¡ê·¸ë¨ì í¬í¨ íë, `< access origin="*" >` 기본ì ì¼ë¡. + +í¹ì§: ì ë ë¡ì´ë ëí ì ììµëë¤ ìì²ì https://ssl.gstatic.com/accessibility/javascript/android/ 기본ì ì¼ë¡ íì ì ëë¡ ìë íë ¤ë©´ ì견 ì´ë¯ë¡. + +### ì½í ì¸ ë³´ì ì ì± + +ìì²ì ë¤í¸ìí¬ ì»¨í¸ë¡¤ (ì´ë¯¸ì§, XHRs, ë±) (webview ì§ì )를 íµí´ í ì ììµëë¤. + +ì ë ë¡ì´ëì iOSì ë¤í¸ìí¬ ìì² íì© (ì 참조)ë 모ë ì¢ ë¥ì ìì² (ì: `< ë¹ëì¤ >` & WebSockets ì°¨ë¨ ëì§ ììµëë¤)를 íí°ë§ í ì ììµëë¤. ê·¸ëì, íì©, ë¿ë§ ìëë¼ ê·íì 모ë íì´ì§ì [ì½í ì¸ ë³´ì ì ì± ](http://content-security-policy.com/) `< meta >` í그를 ì¬ì© í´ì¼ í©ëë¤. + +ì ë ë¡ì´ë, ìì¤í webview ë´ìì CSPì ë í ì§ìì KitKat ìì (íì§ë§ í¡ë¨ ë³´ë WebView를 ì¬ì© í ì¬ ëª¨ë ë²ì ìì ì¬ì©í ì). + +ë¤ìì `.html` íì´ì§ì ë í ëª ê°ì§ ìì CSP ì ì¸ì ëë¤. + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cordova-osx/blob/8ac659c7/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/pl/README.md ---------------------------------------------------------------------- diff --git a/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/pl/README.md b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/pl/README.md new file mode 100644 index 0000000..ecdc3d5 --- /dev/null +++ b/tests/cdv-test-project/plugins/cordova-plugin-whitelist/doc/pl/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Ten plugin wdraża polityki biaÅej nawigacja widoku sieci Web aplikacji na Cordova 4.0 + +## Cordova obsÅugiwanych platform + + * Android 4.0.0 lub powyżej + * iOS 4.0.0 lub powyżej + +## BiaÅa lista nawigacji + +Kontroluje, których adresy URL widoku sieci Web, samej można nawigowaÄ do. Dotyczy tylko najwyższego poziomu nawigacje. + +Dziwactwa: na Android to dotyczy także IFRAME do nie-http (s) systemów. + +DomyÅlnie, nawigacje tylko do URLi `file://` , sÄ dozwolone. Aby zezwoliÄ na inne adresy URL, należy dodaÄ Tagi `< allow-navigation >` do pliku `config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*"; /> + <allow-navigation href="https://*/*"; /> + <allow-navigation href="data:*" /> + + +## Zamiarem biaÅa + +Kontroluje, których adresy URL aplikacji jest możliwoÅÄ zapytaÄ systemem otwierania. DomyÅlnie nie ma zewnÄtrznych adresów URL sÄ dozwolone. + +Na Android to przyrównuje do wysyÅania zamiarem typu BROWSEABLE. + +Ta biaÅa nie ma zastosowania do pluginów, tylko hiperÅÄ cza i wywoÅania `window.open()`. + +W `pliku config.xml`dodawanie tagów `< allow-intent >` , jak to: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*"; /> + <allow-intent href="https://*/*"; /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*"; /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Sieci wniosek biaÅa + +Formanty, które sieci Å¼Ä daÅ (obrazy, XHRs, itp.) mogÄ byÄ wykonane (za poÅrednictwem cordova rodzimych haki). + +Uwaga: Zalecamy, że używasz treÅci polityki bezpieczeÅstwa (patrz poniżej), który jest bardziej bezpieczne. Ta BiaÅa jest gÅównie historyczne dla webviews, które nie obsÅugujÄ CSP. + +W `pliku config.xml`dodawanie tagów `< access >` , jak to: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com"; /> + <access origin="https://google.com"; /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com"; /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com"; /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Bez żadnych tagów `< access >` dozwolone sÄ tylko Å¼Ä dania do URLi `file://` . Jednak domyÅlnie Cordova aplikacja zawiera `< access origin = "*" >` domyÅlnie. + +CokóÅ: Android pozwala również Å¼Ä dania do https://ssl.gstatic.com/accessibility/javascript/android/ domyÅlnie, ponieważ jest to wymagane dla TalkBack wobec funkcja poprawnie. + +### Zasady zabezpieczeÅ zawartoÅci + +Formanty, które sieci Å¼Ä daÅ (obrazy, XHRs, itp.) mogÄ byÄ wykonane (za pomocÄ widoku sieci Web bezpoÅrednio). + +Na Androida i iOS biaÅa Å¼Ä danie sieci (patrz wyżej) nie jest w stanie filtrowaÄ wszystkie rodzaje wniosków (np. `< video >` & WebSockets nie sÄ zablokowane). Tak oprócz biaÅej listy, należy użyÄ tagu `< meta >` [TreÅci polityki bezpieczeÅstwa](http://content-security-policy.com/) na wszystkich stronach. + +Na Android wsparcie dla CSP w ramach systemu widoku sieci Web zaczyna KitKat (ale jest dostÄpne we wszystkich wersjach przy użyciu widoku sieci Web przejÅcie dla pieszych). + +Oto niektóre przykÅad CSP deklaracje dla strony `HTML` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org";> \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org For additional commands, e-mail: commits-h...@cordova.apache.org
