Author: janpio
Date: Tue Sep 29 19:20:41 2020
New Revision: 1882136
URL: http://svn.apache.org/viewvc?rev=1882136&view=rev
Log:
Updated docs
Added:
cordova/site/public/news/2020/09/29/
cordova/site/public/news/2020/09/29/cve-2020-6506.html
Modified:
cordova/site/public/blog/index.html
cordova/site/public/docs/en/dev/reference/cordova-plugin-inappbrowser/index.html
cordova/site/public/feed.xml
cordova/site/public/news/2020/09/18/camera-plugin-release.html
cordova/site/public/sitemap.xml
cordova/site/public/static/js/index.js
Modified: cordova/site/public/blog/index.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Tue Sep 29 19:20:41 2020
@@ -123,6 +123,76 @@
<li>
<header>
+ <div class="adorner" blogTime="Tue, 29 Sep 2020 00:00:00
+0000"></div>
+ <h2 class="title">
+ <a href="/news/2020/09/29/cve-2020-6506.html">Security
Advisory CVE-2020-6506</a>
+ </h2>
+ <div class="details">
+ <span class="date">29 Sep 2020</span>
+ - by
+ <span class="author">
+
+ Jesse MacFadyen
+
+ </span>
+ <a class="comment"
href="/news/2020/09/29/cve-2020-6506.html#disqus_thread"></a>
+ </div>
+ </header>
+ <section class="post-excerpt">
+ <p><h1>Security Advisory CVE-2020-6506</h1>
+
+<h3>Formally Disclosed Advisory:</h3>
+
+<ul>
+<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+</ul>
+
+<p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability
in Android WebView which allows cross-origin iframes to execute arbitrary
JavaScript in the top-level document. Apache Cordova apps built for Android
devices which allow the loading of http content from domains they do not
control could be affected. Theoretically this would be either in an iframe, or
by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p>
+
+<p>If your app loads a local page (e.g. index.html within Cordova app loads
iframe from <a href="#">malicious-example.com</a>), no user interaction is
required for this exploit.</p>
+
+<p>This vulnerability has been fixed in Android WebView as of version
83.0.4103.106.
+Users must update their Android WebView from the Google Play Store
themselves.</p>
+
+<h3>Mitigation</h3>
+
+<p>There are precautions you can take to avoid this vulnerability.</p>
+
+<ol>
+<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
+
+<ul>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li>Ensure CSPs do not include 'unsafe-line' for
script-src/default-src unless necessary.</li>
+</ul></li>
+<li>Generally, always load local code into your application's main
webview, and use InAppBrowser to display anything remote.
+
+<ul>
+<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+</ul></li>
+<li><p>Do not use iframes, and if you must, never do so in your
application's main webview. Using the <code>sandbox</code> attribute will
mitigate this vulnerability ( preferably with an empty value. ) Avoid using
these sandbox attributes together <code>allow-popups allow-top-navigation
allow-scripts</code> because they do NOT mitigate this vulnerability.</p>
+<div class="highlight"><pre><code class="language-js" data-lang="js"><span
class="o"><</span><span class="nx">iframe</span> <span
class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span>
<span class="nx">src</span><span class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span class="o">/></span>
+</code></pre></div></li>
+</ol>
+
+<p>Most of these precautions have always been gentle recommendations of Apache
Cordova, but were not reflected in the default values which were typically left
open. The Apache Cordova committers are investigating preventing this
vulnerability at the framework level, as well as tightening the default values
to prevent inadvertant exposure. In the meantime, if you suspect your app is
vulnerable, please follow the precautions above.</p>
+
+<p>Credit ( and thanks ) go to Alesandro Ortiz for discovering this
vulnerability and bringing it to our attention.</p>
+
+<h3>Additional References</h3>
+
+<ul>
+<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
+<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+</ul>
+</p>
+ <div><a
href="/news/2020/09/29/cve-2020-6506.html">More...</a></div>
+ </section>
+ </li>
+
+ <li>
+ <header>
<div class="adorner" blogTime="Fri, 18 Sep 2020 00:00:00
+0000"></div>
<h2 class="title">
<a
href="/news/2020/09/18/camera-plugin-release.html">Camera Plugin Released!</a>
@@ -10049,7 +10119,7 @@ window.twttr = (function(d, s, id) {
<script>
window.onload = function(){
setTimeout(function(){
- var lastPostTime = new Date("Fri, 18 Sep 2020 00:00:00
+0000").getTime();
+ var lastPostTime = new Date("Tue, 29 Sep 2020 00:00:00
+0000").getTime();
setCookie("visitTime", lastPostTime, 365);
}, 2000);
};
Modified:
cordova/site/public/docs/en/dev/reference/cordova-plugin-inappbrowser/index.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/docs/en/dev/reference/cordova-plugin-inappbrowser/index.html?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
---
cordova/site/public/docs/en/dev/reference/cordova-plugin-inappbrowser/index.html
(original)
+++
cordova/site/public/docs/en/dev/reference/cordova-plugin-inappbrowser/index.html
Tue Sep 29 19:20:41 2020
@@ -2738,6 +2738,13 @@ var ref2 = cordova.InAppBrowser.open(enc
<p><code>_blank</code> and <code>_self</code> targets are not yet implemented
and are ignored silently. Pull requests and patches to get these to work are
greatly appreciated.</p>
+<h3>iOS Quirks</h3>
+
+<p>Since the introduction of iPadOS 13, iPads try to adapt their content mode
/ user agent for the optimal browsing experience. This may result in iPads
having their user agent set to Macintosh, making it hard to detect them as
mobile devices using user agent string sniffing. You can change this with the
<code>PreferredContentMode</code> preference in <code>config.xml</code>.</p>
+<div class="highlight"><pre><code class="language-xml" data-lang="xml"><span
class="nt"><preference</span> <span class="na">name=</span><span
class="s">"PreferredContentMode"</span> <span class="na">value=</span><span
class="s">"mobile"</span> <span class="nt">/></span>
+</code></pre></div>
+<p>The example above forces the user agent to contain <code>iPad</code>. The
other option is to use the value <code>desktop</code> to turn the user agent to
<code>Macintosh</code>.</p>
+
<h3>Browser Quirks</h3>
<ul>
Modified: cordova/site/public/feed.xml
URL:
http://svn.apache.org/viewvc/cordova/site/public/feed.xml?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
--- cordova/site/public/feed.xml (original)
+++ cordova/site/public/feed.xml Tue Sep 29 19:20:41 2020
@@ -6,11 +6,74 @@
</description>
<link>https://cordova.apache.org/</link>
<atom:link href="https://cordova.apache.org/feed.xml"; rel="self"
type="application/rss+xml"/>
- <pubDate>Fri, 18 Sep 2020 08:45:02 +0000</pubDate>
- <lastBuildDate>Fri, 18 Sep 2020 08:45:02 +0000</lastBuildDate>
+ <pubDate>Tue, 29 Sep 2020 19:01:29 +0000</pubDate>
+ <lastBuildDate>Tue, 29 Sep 2020 19:01:29 +0000</lastBuildDate>
<generator>Jekyll v2.5.3</generator>
<item>
+ <title>Security Advisory CVE-2020-6506</title>
+ <description><h1>Security Advisory CVE-2020-6506</h1>
+
+<h3>Formally Disclosed Advisory:</h3>
+
+<ul>
+<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+</ul>
+
+<p>This vulnerability is a universal cross-site scripting (UXSS)
vulnerability in Android WebView which allows cross-origin iframes to execute
arbitrary JavaScript in the top-level document. Apache Cordova apps built for
Android devices which allow the loading of http content from domains they do
not control could be affected. Theoretically this would be either in an
iframe, or by use of the InAppBrowser plugin
(cordova-plugin-inappbrowser).</p>
+
+<p>If your app loads a local page (e.g. index.html within Cordova app
loads iframe from <a href="#">malicious-example.com</a>),
no user interaction is required for this exploit.</p>
+
+<p>This vulnerability has been fixed in Android WebView as of version
83.0.4103.106.
+Users must update their Android WebView from the Google Play Store
themselves.</p>
+
+<h3>Mitigation</h3>
+
+<p>There are precautions you can take to avoid this
vulnerability.</p>
+
+<ol>
+<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
+
+<ul>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li>Ensure CSPs do not include &#39;unsafe-line&#39; for
script-src/default-src unless necessary.</li>
+</ul></li>
+<li>Generally, always load local code into your application&#39;s
main webview, and use InAppBrowser to display anything remote.
+
+<ul>
+<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+</ul></li>
+<li><p>Do not use iframes, and if you must, never do so in your
application&#39;s main webview. Using the <code>sandbox</code>
attribute will mitigate this vulnerability ( preferably with an empty value. )
Avoid using these sandbox attributes together <code>allow-popups
allow-top-navigation allow-scripts</code> because they do NOT mitigate
this vulnerability.</p>
+<div class="highlight"><pre><code
class="language-js" data-lang="js"><span
class="o">&lt;</span><span
class="nx">iframe</span> <span
class="nx">sandbox</span><span
class="o">=</span><span
class="s1">''</span> <span
class="nx">src</span><span
class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span
class="o">/&gt;</span>
+</code></pre></div></li>
+</ol>
+
+<p>Most of these precautions have always been gentle recommendations of
Apache Cordova, but were not reflected in the default values which were
typically left open. The Apache Cordova committers are investigating preventing
this vulnerability at the framework level, as well as tightening the default
values to prevent inadvertant exposure. In the meantime, if you suspect your
app is vulnerable, please follow the precautions above.</p>
+
+<p>Credit ( and thanks ) go to Alesandro Ortiz for discovering this
vulnerability and bringing it to our attention.</p>
+
+<h3>Additional References</h3>
+
+<ul>
+<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
+<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+</ul>
+</description>
+ <pubDate>Tue, 29 Sep 2020 00:00:00 +0000</pubDate>
+
<link>https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html</link>
+ <guid
isPermaLink="true">https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html</guid>
+
+ <category>security</category>
+
+ <category>advisory</category>
+
+
+ <category>news</category>
+
+ </item>
+
+ <item>
<title>Camera Plugin Released!</title>
<description><p>We are happy to announce that we have just
released an update to our camera plugin!</p>
@@ -731,96 +794,6 @@ cordova platform add [email protected]
<category>news</category>
- <category>releases</category>
-
-
- <category>announcements</category>
-
- </item>
-
- <item>
- <title>Cordova iOS 6.1.0 Released!</title>
- <description><p>We are happy to announce that we have just
released <code>Cordova iOS 6.1.0</code>! This is Cordova&#39;s
official platform for building iOS mobile applications.</p>
-
-<ul>
-<li><a
href="https://www.npmjs.com/package/cordova-ios">[email protected]</a></li>
-</ul>
-
-<p><strong>To upgrade:</strong></p>
-<div class="highlight"><pre><code
class="language-bash" data-lang="bash">cordova platform
remove ios
-cordova platform add [email protected]
-</code></pre></div>
-<h2>Release Highlights</h2>
-
-<p>This release contains primarily fixes for issues with the 6.0.0
release.</p>
-
-<ul>
-<li><p><strong>Resolve CocoaPods publishing
issues</strong> <em>(since 6.0.0)</em></p>
-
-<p>The Cordova iOS 6.0.0 release was unable to be published to CocoaPods
due to issues with the Pod spec. These have been addressed and Cordova iOS
6.1.0 is available.</p></li>
-<li><p><strong>Fix landscape orientation
defaults</strong> <em>(since 6.0.0)</em></p>
-
-<p>A change made in Cordova iOS 6.0.0 had the side effect of disabling
landscape orientation for any apps that didn&#39;t specify an
<code>Orientation</code> preference in
<code>config.xml</code>. We&#39;ve reverted that change and new
apps will match Xcode defaults (allowing both portrait and landscape
orientations).</p>
-
-<p>To ensure your app properly supports the orientations you want, we
encourage setting <a
href="https://cordova.apache.org/docs/en/latest/config_ref/index.html#preference">the
<code>Orientation</code> preference</a>.</p></li>
-<li><p><strong>Fix invisible SplashScreen
bugs</strong> <em>(since 6.0.0)</em></p>
-
-<p>A bug in Cordova iOS 6.0.0 would cause the splashscreen to be
invisible unless a <code>BackgroundColor</code> preference was set
in <code>config.xml</code>. This was not the intended behaviour,
and caused a lot of confusion about not being able to interact with the webview
behind the splashscreen.</p>
-
-<p>In Cordova iOS 6.1.0, we&#39;ve fixed the splashscreen so that it
will always have a background colour (defaulting to the system background
colour) and so that the launch storyboard image should remain visible.</p>
-
-<p>To customize the background colour of your app and its splashscreen,
use <a
href="https://cordova.apache.org/docs/en/latest/config_ref/index.html#preference">the
<code>BackgroundColor</code> preference</a> in
<code>config.xml</code>.</p></li>
-<li><p><strong>Add support for dark mode
splashscreens</strong> <em>(New Feature)</em></p>
-
-<p>It is now possible to use optionally different splashscreen images
when your app is running in dark mode. You can configure these images in
<code>config.xml</code> with the <code>~dark</code>
suffix (and <code>~light</code> is also supported).</p>
-<div class="highlight"><pre><code
class="language-xml" data-lang="xml"><span
class="c">&lt;!-- Default image to be used for all modes
--&gt;</span>
-<span class="nt">&lt;splash</span> <span
class="na">src=</span><span
class="s">"res/screen/ios/Default@2x~universal~anyany.png"</span>
<span class="nt">/&gt;</span>
-
-<span class="c">&lt;!-- Image to use specifically for dark
mode devices --&gt;</span>
-<span class="nt">&lt;splash</span> <span
class="na">src=</span><span
class="s">"res/screen/ios/Default@2x~universal~anyany~dark.png"</span>
<span class="nt">/&gt;</span>
-
-<span class="c">&lt;!-- Image to use specifically for
light mode devices --&gt;</span>
-<span class="nt">&lt;splash</span> <span
class="na">src=</span><span
class="s">"res/screen/ios/Default@2x~universal~anyany~light.png"</span>
<span class="nt">/&gt;</span>
-</code></pre></div></li>
-<li><p><strong>Add preference for iPad desktop layout
behaviour</strong> <em>(New Feature)</em></p>
-
-<p>iPadOS 13 defaults to using a desktop layout in webviews rather than
a mobile layout. You can now control this behaviour in your apps with <a
href="https://cordova.apache.org/docs/en/latest/config_ref/index.html#preference">the
<code>PreferredContentMode</code> preference</a> in
<code>config.xml</code>. Valid options are
<code>mobile</code> and
<code>desktop</code>.</p></li>
-<li><p><strong>Add preference for webview window
handling</strong> <em>(New Feature)</em></p>
-
-<p>Historically, Cordova iOS has not supported the creation of new
webview windows with APIs like <code>window.open</code> or links
with <code>target=&quot;_blank&quot;</code>. The default
behaviour was inconsistent, with some links opening externally in Safari and
some links being unclickable. There is now <a
href="https://cordova.apache.org/docs/en/latest/config_ref/index.html#preference">an
<code>AllowNewWindows</code> preference</a> in
<code>config.xml</code> to control the behaviour of new windows
within the application.</p>
-
-<ul>
-<li>When <strong>false</strong> (the default behaviour),
links that would open a new window are instead opened in the same webview as if
they had not requested a new window.</li>
-<li>When <strong>true</strong>, links that would open a new
window will create a new webview overtop of the app. This new webview provides
no controls, so you must include a way to dismiss it with
<code>window.close()</code>.</li>
-</ul>
-
-<p>Links that are outside the list of <a
href="https://cordova.apache.org/docs/en/latest/config_ref/index.html#allow-navigation"><code>allow-navigation</code></a>
URLs will continue to open in Safari.</p></li>
-</ul>
-
-<p>Please report any issues you find at <a
href="http://issues.cordova.io/">issues.cordova.io</a>!</p>
-
-<!--more-->
-
-<h2>Full Changelog</h2>
-
-<ul>
-<li><a
href="https://github.com/apache/cordova-ios/pull/910">GH-910</a>
Set <code>$PROJECT_NAME</code> properly when installing
plugins</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/885">GH-885</a>
Don&#39;t silently ignore creation of new windows</li>
-<li><a
href="https://github.com/apache/cordova-ios/issues/899">GH-889</a>
Revert &quot;(ios) Don&#39;t pre-fill orientation&quot; (<a
href="https://github.com/apache/cordova-ios/pull/901">#901</a>)</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/902">GH-902</a>
chore: fix eslint failure</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/808">GH-808</a>
Dark mode splashscreen storyboard images</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/886">GH-886</a>
Add PreferredContentMode preference</li>
-<li><a
href="https://github.com/apache/cordova-ios/issues/890">GH-890</a>
Fix SplashScreen issues &amp; refactor BackgroundColor (<a
href="https://github.com/apache/cordova-ios/pull/896">#896</a>)</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/888">GH-888</a>
fix: author and tag podspec errors</li>
-<li><a
href="https://github.com/apache/cordova-ios/pull/882">GH-882</a>
fix: Properly get version from <code>package.json</code></li>
-</ul>
-</description>
- <pubDate>Tue, 23 Jun 2020 00:00:00 +0000</pubDate>
-
<link>https://cordova.apache.org/announcements/2020/06/23/cordova-ios-6.1.0.html</link>
- <guid
isPermaLink="true">https://cordova.apache.org/announcements/2020/06/23/cordova-ios-6.1.0.html</guid>
-
- <category>news</category>
-
<category>releases</category>
Modified: cordova/site/public/news/2020/09/18/camera-plugin-release.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/18/camera-plugin-release.html?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
--- cordova/site/public/news/2020/09/18/camera-plugin-release.html (original)
+++ cordova/site/public/news/2020/09/18/camera-plugin-release.html Tue Sep 29
19:20:41 2020
@@ -223,6 +223,26 @@
</div>
<div class="col-sm-6">
+ <a href="/news/2020/09/29/cve-2020-6506.html">Next</a>
+ <br>
+ <br>
+ <a class="title"
href="/news/2020/09/29/cve-2020-6506.html">Security Advisory CVE-2020-6506</a>
+ <div class="date"> 29 Sep 2020 - By Jesse MacFadyen </div>
+ <p class="content">
+ <!--
+ NOTE:
+ the markdownify filter is used here
+ because posts are rendered in sequence;
+ that is, the next post's content isn't
+ yet rendered at the time that this post
+ is being rendered, so page.next.excerpt
+ is still in Markdown and not HTML
+
+ Reference:
https://github.com/jekyll/jekyll/issues/2860
+ -->
+ Security Advisory CVE-2020-6506 Formally Disclosed
Advisory: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 This
vulnerability is a universal...
+ </p>
+
</div>
</div>
</footer>
Added: cordova/site/public/news/2020/09/29/cve-2020-6506.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/29/cve-2020-6506.html?rev=1882136&view=auto
==============================================================================
--- cordova/site/public/news/2020/09/29/cve-2020-6506.html (added)
+++ cordova/site/public/news/2020/09/29/cve-2020-6506.html Tue Sep 29 19:20:41
2020
@@ -0,0 +1,320 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="utf-8">
+ <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <meta name="format-detection" content="telephone=no">
+ <meta name="viewport" content="user-scalable=no, initial-scale=1,
maximum-scale=1, minimum-scale=1, width=device-width" />
+ <meta name="description" content="Security Advisory CVE-2020-6506Formally
Disclosed
Advisory:https://bugs.chromium.org/p/chromium/issues/detail?id=1083819This
vulnerability is a universal cro...">
+
+ <title>
+
+
+ Security Advisory CVE-2020-6506 - Apache Cordova
+
+
+ </title>
+
+ <link rel="SHORTCUT ICON" href="/favicon.ico"/>
+
+
+
+
+
+
+ <link rel="canonical"
href="https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html";>
+
+ <!-- CSS -->
+ <link rel="stylesheet" type="text/css" href="/static/css/main.css">
+ <link rel="stylesheet" type="text/css" href="/static/css/lib/syntax.css">
+ <!-- Algolia Search CSS -->
+ <link rel="stylesheet"
href="https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.css"; />
+
+ <!-- Fonts -->
+ <!-- For attribution information, see www/attributions.html -->
+ <link
href='https://fonts.googleapis.com/css?family=Raleway:700,400,300,700italic,400italic,300italic'
rel='stylesheet' type='text/css'>
+
+ <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media
queries -->
+ <!--[if lt IE 9]>
+ <script
src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js";></script>
+ <script
src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js";></script>
+ <![endif]-->
+ <script type="text/javascript">
+ var disqus_developer = 1; // this would set it to developer mode
+ </script>
+
+ <!-- JS -->
+ <script defer type="text/javascript"
src="/static/js/lib/jquery-2.1.1.min.js"></script>
+ <script defer type="text/javascript"
src="/static/js/lib/bootstrap.min.js"></script>
+
+ <script>
+
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new
Date();a=s.createElement(o),
+
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+ ga('create', 'UA-64283057-3', 'auto');
+ ga('send', 'pageview');
+</script>
+
+</head>
+
+<body>
+ <header>
+ <a class="scroll-point pt-top" name="top"></a>
+ <nav class="navbar navbar-inverse navbar-fixed-top">
+ <div class="container-fluid">
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle collapsed"
data-toggle="collapse" data-target="#navbar" aria-expanded="false"
aria-controls="navbar">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/"><img id="logo_top"
src="/static/img/cordova-logo-newbrand.svg"/></a>
+ </div>
+ <div id="navbar" class="navbar-collapse collapse">
+ <div class="nav_bar_center">
+ <ul class="nav navbar-nav">
+ <li >
+ <a href="/docs/en/latest/">Documentation</a>
+ </li>
+ <li >
+ <a href="/plugins">Plugins</a>
+ </li>
+ <li class="active">
+ <a href="/blog" id="blog_button">Blog<span
class="badge" id="new_blog_count"></span></a>
+ </li>
+ <li >
+ <a href="/contribute">Contribute</a>
+ </li>
+ <li>
+ <a href="/#getstarted">Get Started</a>
+ </li>
+ <li>
+ <form class="navbar-form navbar-right"
id="header-search-form" role="search">
+ <div class="input-group">
+
+
+
+ <input id="header-search-field"
type="text" placeholder="Search '9.x' docs..." class="form-control hidden-xs"
autocomplete="off">
+ </div>
+ </form>
+ </li>
+ </ul>
+ </div>
+ </div><!--/.navbar-collapse -->
+ </div>
+ </nav>
+ <div id="_fixed_navbar_spacer" style="padding-top:50px"></div>
+</header>
+
+<div class="page container">
+ <div class="blog">
+ <h1 class="blogHeader">
+ Blog
+ <span class="rss">
+ <img src="/static/img/subscribe.png"><a href="/feed.xml">RSS Feed</a>
+ </span>
+</h1>
+
+<div class="post">
+ <header>
+ <div class="title">Security Advisory CVE-2020-6506</div>
+ <div class="author">By:
+
+ Jesse MacFadyen
+
+ </div>
+ <div class="date">29 Sep 2020</div>
+ </header>
+ <section>
+ <div>
+ <h1>Security Advisory CVE-2020-6506</h1>
+
+<h3>Formally Disclosed Advisory:</h3>
+
+<ul>
+<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+</ul>
+
+<p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability
in Android WebView which allows cross-origin iframes to execute arbitrary
JavaScript in the top-level document. Apache Cordova apps built for Android
devices which allow the loading of http content from domains they do not
control could be affected. Theoretically this would be either in an iframe, or
by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p>
+
+<p>If your app loads a local page (e.g. index.html within Cordova app loads
iframe from <a href="#">malicious-example.com</a>), no user interaction is
required for this exploit.</p>
+
+<p>This vulnerability has been fixed in Android WebView as of version
83.0.4103.106.
+Users must update their Android WebView from the Google Play Store
themselves.</p>
+
+<h3>Mitigation</h3>
+
+<p>There are precautions you can take to avoid this vulnerability.</p>
+
+<ol>
+<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
+
+<ul>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li>Ensure CSPs do not include 'unsafe-line' for
script-src/default-src unless necessary.</li>
+</ul></li>
+<li>Generally, always load local code into your application's main
webview, and use InAppBrowser to display anything remote.
+
+<ul>
+<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
+<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+</ul></li>
+<li><p>Do not use iframes, and if you must, never do so in your
application's main webview. Using the <code>sandbox</code> attribute will
mitigate this vulnerability ( preferably with an empty value. ) Avoid using
these sandbox attributes together <code>allow-popups allow-top-navigation
allow-scripts</code> because they do NOT mitigate this vulnerability.</p>
+<div class="highlight"><pre><code class="language-js" data-lang="js"><span
class="o"><</span><span class="nx">iframe</span> <span
class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span>
<span class="nx">src</span><span class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span class="o">/></span>
+</code></pre></div></li>
+</ol>
+
+<p>Most of these precautions have always been gentle recommendations of Apache
Cordova, but were not reflected in the default values which were typically left
open. The Apache Cordova committers are investigating preventing this
vulnerability at the framework level, as well as tightening the default values
to prevent inadvertant exposure. In the meantime, if you suspect your app is
vulnerable, please follow the precautions above.</p>
+
+<p>Credit ( and thanks ) go to Alesandro Ortiz for discovering this
vulnerability and bringing it to our attention.</p>
+
+<h3>Additional References</h3>
+
+<ul>
+<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
+<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+</ul>
+
+ </div>
+ </section>
+ <footer>
+ <div class="row">
+ <div class="col-sm-6">
+
+ <a
href="/news/2020/09/18/camera-plugin-release.html">Previous</a>
+ <br>
+ <br>
+ <a class="title"
href="/news/2020/09/18/camera-plugin-release.html">Camera Plugin Released!</a>
+ <div class="date"> 18 Sep 2020 - By Bryan Ellis </div>
+ <p class="content">
+ We are happy to announce that we have just released an
update...
+ </p>
+
+ </div>
+ <div class="col-sm-6">
+
+ </div>
+ </div>
+ </footer>
+ <div class="disqus">
+ <div id="disqus_thread"></div>
+<script type="text/javascript">
+ /* * * CONFIGURATION VARIABLES * * */
+ var disqus_shortname = 'cordovablogs';
+
+ /* * * DON'T EDIT BELOW THIS LINE * * */
+ (function() {
+ var dsq = document.createElement('script'); dsq.type =
'text/javascript'; dsq.async = true;
+ dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
+ (document.getElementsByTagName('head')[0] ||
document.getElementsByTagName('body')[0]).appendChild(dsq);
+ })();
+</script>
+<noscript>Please enable JavaScript to view the <a
href="https://disqus.com/?ref_noscript"; rel="nofollow">comments powered by
Disqus.</a></noscript>
+
+ </div>
+</div>
+
+</div>
+
+</div>
+
+<div class="blue-divider"></div>
+<footer>
+ <div class="container">
+ <div class="row">
+ <div class="col-sm-9">
+ <h1>More Resources</h1>
+ <div class="row">
+ <div class="col-sm-4">
+ <h2>General</h2>
+ <ul class="nav">
+ <li>
+ <a target="_blank"
href="https://projects.apache.org/project.html?cordova";>Apache Project Page</a>
+ </li>
+ <li>
+ <a
href="http://www.apache.org/dyn/closer.cgi/cordova";>Source Distribution</a>
+ </li>
+ <li>
+ <a target="_blank"
href="http://www.apache.org/licenses/LICENSE-2.0";>License</a>
+ </li>
+ <li>
+ <a href="/artwork">Artwork</a>
+ </li>
+ </ul>
+ </div>
+ <div class="col-sm-4">
+ <h2>Development</h2>
+ <ul class="nav">
+ <li><a target="_blank"
href="https://github.com/apache?utf8=%E2%9C%93&q=cordova-";>Source
Code</a></li>
+ <li><a target="_blank"
href="https://issues.apache.org/jira/browse/CB/";>Issue Tracker</a></li>
+ <li><a target="_blank"
href="http://stackoverflow.com/questions/tagged/cordova";>Stack Overflow</a></li>
+ <li><a href="/contact">Mailing List</a></li>
+ <li><a href="/contribute/nightly_builds.html">Nightly
builds</a></li>
+ </ul>
+ </div>
+ <div class="col-sm-4">
+ <h2>Apache Software Foundation</h2>
+ <ul class="nav">
+ <li>
+ <a target="_blank" href="http://www.apache.org/";>About
ASF</a>
+ </li>
+ <li>
+ <a target="_blank"
href="http://www.apache.org/foundation/sponsorship.html";>Become a Sponsor</a>
+ </li>
+ <li>
+ <a target="_blank"
href="http://www.apache.org/foundation/thanks.html";>Thanks</a>
+ </li>
+ <li>
+ <a target="_blank"
href="http://www.apache.org/security/";>Security</a>
+ </li>
+ </ul>
+ </div>
+ </div>
+ </div>
+ <div class="col-sm-3">
+ <h1>Contribute</h1>
+ <p style="padding-top:20px"><strong>Help Cordova move
forward!</strong></p>
+ <p>Report bugs, improve the docs, or contribute to the code.</p>
+ <a href="/contribute" class="btn btn-lg btn-primary">
+ Learn More
+ </a>
+ <p style="padding-top:20px"> <a
href="https://twitter.com/apachecordova"; class="twitter-follow-button"
data-show-count="false">Follow @apachecordova</a></p>
+ <script async defer
src="https://slack-cordova-io.herokuapp.com/slackin.js";></script>
+ </div>
+</div>
+<p class="copyright_text">
+ Copyright © 2012, 2013, 2015 The Apache Software Foundation, Licensed
under the <a target="_blank"
href="http://www.apache.org/licenses/LICENSE-2.0";>Apache License, Version
2.0</a>.<br/>
+ Apache and the Apache feather logos are <a target="_blank"
href="http://www.apache.org/foundation/marks/list/";>trademarks</a> of The
Apache Software Foundation.
+ <br/>
+ "Raleway" font used under license. For details see the <a
href="/attributions/">attributions page</a>.
+</p>
+
+ </div>
+</footer>
+
+
+ <script defer type="text/javascript" src="/static/js/index.js"></script>
+ <script defer type="text/javascript" src="/static/js/twitter.js"></script>
+
+
+
+
+
+
+
+
+<script type="text/javascript"
src="https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.js";></script>
+<script type="text/javascript">
+ docsearch({
+ apiKey: '0a916ab198bd93d031aa70611271e42e',
+ indexName: 'cordova',
+ inputSelector: '#header-search-field',
+ algoliaOptions: { 'facetFilters': ["version: 9.x", "language: en"] }
+ });
+</script>
+
+</body>
+</html>
Modified: cordova/site/public/sitemap.xml
URL:
http://svn.apache.org/viewvc/cordova/site/public/sitemap.xml?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
--- cordova/site/public/sitemap.xml (original)
+++ cordova/site/public/sitemap.xml Tue Sep 29 19:20:41 2020
@@ -4,6 +4,11 @@
<!-- posts -->
<url>
+ <loc>https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html</loc>
+</url>
+
+
+<url>
<loc>https://cordova.apache.org/news/2020/09/18/camera-plugin-release.html</loc>
</url>
Modified: cordova/site/public/static/js/index.js
URL:
http://svn.apache.org/viewvc/cordova/site/public/static/js/index.js?rev=1882136&r1=1882135&r2=1882136&view=diff
==============================================================================
--- cordova/site/public/static/js/index.js (original)
+++ cordova/site/public/static/js/index.js Tue Sep 29 19:20:41 2020
@@ -77,6 +77,7 @@ function checkNotification() {
var dates = [];
if (lastVisit != "") {
+ dates.push('Tue, 29 Sep 2020 00:00:00 +0000');
dates.push('Fri, 18 Sep 2020 00:00:00 +0000');
dates.push('Mon, 31 Aug 2020 00:00:00 +0000');
dates.push('Fri, 14 Aug 2020 00:00:00 +0000');
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
