Thanks for your comments. For packaged application, CSP policies should be set in manifest.json so that WRT can set it in resource response header, and then, CSP will take effect in Chromium/Blink.
Here's a simple document for implementing CSP supporting in Crosswalk runtime model: https://docs.google.com/a/intel.com/document/d/1vrD249fxjU4JTEAQG9-dy6HS1CNfzOvdvQ1JxO3yreM/edit?usp=sharing Kenneth Rohde Christiansen <[email protected]> writes: > If I get it right CSP is set in the headers so we need to set it in > the manifest files. > > I think this needs at least a simple document, or spec extension, > explaining how this is supposed to work. > > Apart from that, I am fine with implementing this > > Kenneth > > On Fri, Dec 27, 2013 at 2:43 AM, Xinchao He <[email protected]> wrote: >> Summary: >> In order to mitigate a broad class of content injection vulnerabilities, >> such >> as cross-site scripting (XSS), Crosswalk runtime model need to implement the >> Content Security Policy (CSP). CSP is a declarative policy that lets the >> authors >> (or server administrators) of a web application inform the client about the >> sources from which the application expects to load and execute. These fairly >> strict policies that will make applications more secure. >> >> Spec: >> - >> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html >> - >> https://docs.google.com/a/intel.com/document/d/1dhU1tMH10JDu2ADv1v5s7X65KW2Qf8iZDvoMPyP0aWQ/edit?pli=1#heading=h.ocjfwvbouo2t >> >> Affected component: xwalk/application >> >> Related feature in Jira: https://crosswalk-project.org/jira/browse/XWALK-630 >> >> Target Release: Crosswalk-4 >> >> Target Platform: Linux/Tizen >> >> Implementation details: >> >> I plan to enable the CSP supporting in these two aspects: >> >> 1. Implement the CSP parsing for manifest.json. >> 2. Add the CSP information in resource request header. >> - The Crosswalk scheme supporting, like app://xxxxx/resource_path, all >> resource requests for local data in packaged application will work with >> this protocol. This can implement in application_protocols.cc. >> - The common protocol supporting, like http://, https://, ftp://. These >> protocol will be used by both hosted app and packaged app. >> - The local file protocol supporting, like file://. The Crosswalk android >> port need this for CSP control. >> _______________________________________________ Crosswalk-dev mailing list [email protected] https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-dev
