Author: janpio
Date: Wed Sep 30 18:32:31 2020
New Revision: 1882165
URL: http://svn.apache.org/viewvc?rev=1882165&view=rev
Log:
Updated docs
Modified:
cordova/site/public/blog/index.html
cordova/site/public/feed.xml
cordova/site/public/news/2020/09/18/camera-plugin-release.html
cordova/site/public/news/2020/09/29/cve-2020-6506.html
Modified: cordova/site/public/blog/index.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1882165&r1=1882164&r2=1882165&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Wed Sep 30 18:32:31 2020
@@ -139,12 +139,10 @@
</div>
</header>
<section class="post-excerpt">
- <p><h1>Security Advisory CVE-2020-6506</h1>
-
-<h3>Formally Disclosed Advisory:</h3>
+ <p><h3>Formally Disclosed Advisory:</h3>
<ul>
-<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+<li><a
href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819";>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li>
</ul>
<p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability
in Android WebView which allows cross-origin iframes to execute arbitrary
JavaScript in the top-level document. Apache Cordova apps built for Android
devices which allow the loading of http content from domains they do not
control could be affected. Theoretically this would be either in an iframe, or
by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p>
@@ -162,14 +160,14 @@ Users must update their Android WebView
<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
<ul>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/";>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li>
<li>Ensure CSPs do not include 'unsafe-line' for
script-src/default-src unless necessary.</li>
</ul></li>
<li>Generally, always load local code into your application's main
webview, and use InAppBrowser to display anything remote.
<ul>
<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/";>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li>
</ul></li>
<li><p>Do not use iframes, and if you must, never do so in your
application's main webview. Using the <code>sandbox</code> attribute will
mitigate this vulnerability ( preferably with an empty value. ) Avoid using
these sandbox attributes together <code>allow-popups allow-top-navigation
allow-scripts</code> because they do NOT mitigate this vulnerability.</p>
<div class="highlight"><pre><code class="language-js" data-lang="js"><span
class="o"><</span><span class="nx">iframe</span> <span
class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span>
<span class="nx">src</span><span class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span class="o">/></span>
@@ -183,9 +181,11 @@ Users must update their Android WebView
<h3>Additional References</h3>
<ul>
-<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
-<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+<li><a
href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/";>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li>
+<li><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506";>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li>
</ul>
+
+<p><em>edit: fixed links that weren't linking</em> -JM</p>
</p>
<div><a
href="/news/2020/09/29/cve-2020-6506.html">More...</a></div>
</section>
Modified: cordova/site/public/feed.xml
URL:
http://svn.apache.org/viewvc/cordova/site/public/feed.xml?rev=1882165&r1=1882164&r2=1882165&view=diff
==============================================================================
--- cordova/site/public/feed.xml (original)
+++ cordova/site/public/feed.xml Wed Sep 30 18:32:31 2020
@@ -6,18 +6,16 @@
</description>
<link>https://cordova.apache.org/</link>
<atom:link href="https://cordova.apache.org/feed.xml"; rel="self"
type="application/rss+xml"/>
- <pubDate>Tue, 29 Sep 2020 19:01:29 +0000</pubDate>
- <lastBuildDate>Tue, 29 Sep 2020 19:01:29 +0000</lastBuildDate>
+ <pubDate>Wed, 30 Sep 2020 18:12:36 +0000</pubDate>
+ <lastBuildDate>Wed, 30 Sep 2020 18:12:36 +0000</lastBuildDate>
<generator>Jekyll v2.5.3</generator>
<item>
<title>Security Advisory CVE-2020-6506</title>
- <description><h1>Security Advisory CVE-2020-6506</h1>
-
-<h3>Formally Disclosed Advisory:</h3>
+ <description><h3>Formally Disclosed Advisory:</h3>
<ul>
-<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+<li><a
href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819">https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li>
</ul>
<p>This vulnerability is a universal cross-site scripting (UXSS)
vulnerability in Android WebView which allows cross-origin iframes to execute
arbitrary JavaScript in the top-level document. Apache Cordova apps built for
Android devices which allow the loading of http content from domains they do
not control could be affected. Theoretically this would be either in an
iframe, or by use of the InAppBrowser plugin
(cordova-plugin-inappbrowser).</p>
@@ -35,14 +33,14 @@ Users must update their Android WebView
<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
<ul>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li>
<li>Ensure CSPs do not include &#39;unsafe-line&#39; for
script-src/default-src unless necessary.</li>
</ul></li>
<li>Generally, always load local code into your application&#39;s
main webview, and use InAppBrowser to display anything remote.
<ul>
<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/">https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li>
</ul></li>
<li><p>Do not use iframes, and if you must, never do so in your
application&#39;s main webview. Using the <code>sandbox</code>
attribute will mitigate this vulnerability ( preferably with an empty value. )
Avoid using these sandbox attributes together <code>allow-popups
allow-top-navigation allow-scripts</code> because they do NOT mitigate
this vulnerability.</p>
<div class="highlight"><pre><code
class="language-js" data-lang="js"><span
class="o">&lt;</span><span
class="nx">iframe</span> <span
class="nx">sandbox</span><span
class="o">=</span><span
class="s1">''</span> <span
class="nx">src</span><span
class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span
class="o">/&gt;</span>
@@ -56,9 +54,11 @@ Users must update their Android WebView
<h3>Additional References</h3>
<ul>
-<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
-<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+<li><a
href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/">https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li>
+<li><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506">https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li>
</ul>
+
+<p><em>edit: fixed links that weren&#39;t linking</em>
-JM</p>
</description>
<pubDate>Tue, 29 Sep 2020 00:00:00 +0000</pubDate>
<link>https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html</link>
Modified: cordova/site/public/news/2020/09/18/camera-plugin-release.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/18/camera-plugin-release.html?rev=1882165&r1=1882164&r2=1882165&view=diff
==============================================================================
--- cordova/site/public/news/2020/09/18/camera-plugin-release.html (original)
+++ cordova/site/public/news/2020/09/18/camera-plugin-release.html Wed Sep 30
18:32:31 2020
@@ -240,7 +240,7 @@
Reference:
https://github.com/jekyll/jekyll/issues/2860
-->
- Security Advisory CVE-2020-6506 Formally Disclosed
Advisory: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 This
vulnerability is a universal...
+ Formally Disclosed Advisory:
https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 This
vulnerability is a universal cross-site scripting (UXSS)...
</p>
</div>
Modified: cordova/site/public/news/2020/09/29/cve-2020-6506.html
URL:
http://svn.apache.org/viewvc/cordova/site/public/news/2020/09/29/cve-2020-6506.html?rev=1882165&r1=1882164&r2=1882165&view=diff
==============================================================================
--- cordova/site/public/news/2020/09/29/cve-2020-6506.html (original)
+++ cordova/site/public/news/2020/09/29/cve-2020-6506.html Wed Sep 30 18:32:31
2020
@@ -6,7 +6,7 @@
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="format-detection" content="telephone=no">
<meta name="viewport" content="user-scalable=no, initial-scale=1,
maximum-scale=1, minimum-scale=1, width=device-width" />
- <meta name="description" content="Security Advisory CVE-2020-6506Formally
Disclosed
Advisory:https://bugs.chromium.org/p/chromium/issues/detail?id=1083819This
vulnerability is a universal cro...">
+ <meta name="description" content="Formally Disclosed
Advisory:https://bugs.chromium.org/p/chromium/issues/detail?id=1083819This
vulnerability is a universal cross-site scripting (UXSS) vulner...">
<title>
@@ -130,12 +130,10 @@
</header>
<section>
<div>
- <h1>Security Advisory CVE-2020-6506</h1>
-
-<h3>Formally Disclosed Advisory:</h3>
+ <h3>Formally Disclosed Advisory:</h3>
<ul>
-<li>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</li>
+<li><a
href="https://bugs.chromium.org/p/chromium/issues/detail?id=1083819";>https://bugs.chromium.org/p/chromium/issues/detail?id=1083819</a></li>
</ul>
<p>This vulnerability is a universal cross-site scripting (UXSS) vulnerability
in Android WebView which allows cross-origin iframes to execute arbitrary
JavaScript in the top-level document. Apache Cordova apps built for Android
devices which allow the loading of http content from domains they do not
control could be affected. Theoretically this would be either in an iframe, or
by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).</p>
@@ -153,14 +151,14 @@ Users must update their Android WebView
<li>Use a restrictive an allow-list and content security policy (CSP) as
possible.<br>
<ul>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/";>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/</a></li>
<li>Ensure CSPs do not include 'unsafe-line' for
script-src/default-src unless necessary.</li>
</ul></li>
<li>Generally, always load local code into your application's main
webview, and use InAppBrowser to display anything remote.
<ul>
<li>Always load untrusted content into an external browser (i.e. call
InAppBrowser with <code>_system</code>)</li>
-<li>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</li>
+<li><a
href="https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/";>https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/</a></li>
</ul></li>
<li><p>Do not use iframes, and if you must, never do so in your
application's main webview. Using the <code>sandbox</code> attribute will
mitigate this vulnerability ( preferably with an empty value. ) Avoid using
these sandbox attributes together <code>allow-popups allow-top-navigation
allow-scripts</code> because they do NOT mitigate this vulnerability.</p>
<div class="highlight"><pre><code class="language-js" data-lang="js"><span
class="o"><</span><span class="nx">iframe</span> <span
class="nx">sandbox</span><span class="o">=</span><span class="s1">''</span>
<span class="nx">src</span><span class="o">=</span><span
class="s1">'http://untrusted-source'</span> <span class="o">/></span>
@@ -174,10 +172,12 @@ Users must update their Android WebView
<h3>Additional References</h3>
<ul>
-<li>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</li>
-<li>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</li>
+<li><a
href="https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/";>https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/</a></li>
+<li><a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-6506";>https://nvd.nist.gov/vuln/detail/CVE-2020-6506</a></li>
</ul>
+<p><em>edit: fixed links that weren't linking</em> -JM</p>
+
</div>
</section>
<footer>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
