This is an automated email from the ASF dual-hosted git repository.
purplecabbage pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cordova-docs.git
The following commit(s) were added to refs/heads/master by this push:
new 5426195 fixed links that were not links
5426195 is described below
commit 54261953a915ed6342e1c03480c4653ea5724505
Author: Jesse MacFadyen <[email protected]>
AuthorDate: Wed Sep 30 11:10:07 2020 -0700
fixed links that were not links
---
www/_posts/2020-09-29-cve-2020-6506.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/www/_posts/2020-09-29-cve-2020-6506.md
b/www/_posts/2020-09-29-cve-2020-6506.md
index 54e655f..6002f1d 100644
--- a/www/_posts/2020-09-29-cve-2020-6506.md
+++ b/www/_posts/2020-09-29-cve-2020-6506.md
@@ -8,10 +8,8 @@ tags: security advisory
---
-# Security Advisory CVE-2020-6506
-
### Formally Disclosed Advisory:
-- https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
+-
[https://bugs.chromium.org/p/chromium/issues/detail?id=1083819](https://bugs.chromium.org/p/chromium/issues/detail?id=1083819)
This vulnerability is a universal cross-site scripting (UXSS) vulnerability in
Android WebView which allows cross-origin iframes to execute arbitrary
JavaScript in the top-level document. Apache Cordova apps built for Android
devices which allow the loading of http content from domains they do not
control could be affected. Theoretically this would be either in an iframe, or
by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).
@@ -26,11 +24,11 @@ Users must update their Android WebView from the Google
Play Store themselves.
There are precautions you can take to avoid this vulnerability.
1. Use a restrictive an allow-list and content security policy (CSP) as
possible.
- -
https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/
+ -
[https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/](https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/)
- Ensure CSPs do not include 'unsafe-line' for script-src/default-src
unless necessary.
1. Generally, always load local code into your application's main webview, and
use InAppBrowser to display anything remote.
- Always load untrusted content into an external browser (i.e. call
InAppBrowser with `_system`)
- -
https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/
+ -
[https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/](https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/)
1. Do not use iframes, and if you must, never do so in your application's main
webview. Using the `sandbox` attribute will mitigate this vulnerability (
preferably with an empty value. ) Avoid using these sandbox attributes together
`allow-popups allow-top-navigation allow-scripts` because they do NOT mitigate
this vulnerability.
```js
@@ -42,5 +40,7 @@ Most of these precautions have always been gentle
recommendations of Apache Cord
Credit ( and thanks ) go to Alesandro Ortiz for discovering this vulnerability
and bringing it to our attention.
### Additional References
-- https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
-- https://nvd.nist.gov/vuln/detail/CVE-2020-6506
+-
[https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/](https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/)
+-
[https://nvd.nist.gov/vuln/detail/CVE-2020-6506](https://nvd.nist.gov/vuln/detail/CVE-2020-6506)
+
+_edit: fixed links that weren't linking_ -JM
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
