Summary: In order to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS), Crosswalk runtime model need to implement the Content Security Policy (CSP). CSP is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load and execute. These fairly strict policies that will make applications more secure.
Spec: - https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html - https://docs.google.com/a/intel.com/document/d/1dhU1tMH10JDu2ADv1v5s7X65KW2Qf8iZDvoMPyP0aWQ/edit?pli=1#heading=h.ocjfwvbouo2t Affected component: xwalk/application Related feature in Jira: https://crosswalk-project.org/jira/browse/XWALK-630 Target Release: Crosswalk-4 Target Platform: Linux/Tizen Implementation details: I plan to enable the CSP supporting in these two aspects: 1. Implement the CSP parsing for manifest.json. 2. Add the CSP information in resource request header. - The Crosswalk scheme supporting, like app://xxxxx/resource_path, all resource requests for local data in packaged application will work with this protocol. This can implement in application_protocols.cc. - The common protocol supporting, like http://, https://, ftp://. These protocol will be used by both hosted app and packaged app. - The local file protocol supporting, like file://. The Crosswalk android port need this for CSP control. -- Best Regards, He, Xinchao _______________________________________________ Crosswalk-dev mailing list [email protected] https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-dev
