RE: [Discuss] 3.6.0 Release

Tue, 12 Aug 2014 08:49:18 -0700 

Had a quick question on the whitelists. I remember that there was talk of using 
CSP to fix this issue. A CSP file may not be backward compatible, but could 
potentially just give us one list instead of 2 whitelists. The CSP file may be 
like the following

Content-Security-Policy: 
        script-src 'self', foo.com, bar.com 
        img-src cdn.com 
        intent-src mail, sms

Note the new intent-src directive, that is basically used to launch external 
programs. Do you think this could be something we can look at, for 4.0 ? I am 
not sure if our whitelist xml file maps to a W3C spec, but CSP seems more like 
a standard. This is breaking, and 4.0 may be the right time to do it ? 

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Ian 
Clelland
Sent: Tuesday, August 12, 2014 8:30 AM
To: [email protected]
Subject: Re: [Discuss] 3.6.0 Release

I've created CB-7291 for the whitelist issue, and I've ported the code from 
June to the new-style configuration architecture and committed it to a named 
CB-7291 branch on cordova-android.

If anyone has any thoughts/opinions on the syntax or the proposal itself, or on 
what the defaults should be for new and upgrading applications, please chime in 
on the issue.



On Mon, Aug 11, 2014 at 11:26 AM, Parashuram Narasimhan (MS OPEN TECH) < 
[email protected]> wrote:

> I think we should also finalize on the platform switches so that we 
> all agree on a pattern (even if it is different across platforms). 
> This way, we can release 3.6.0 with a set of switches, and ensure that 
> it is backward compatible.
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of 
> Ian Clelland
> Sent: Monday, August 11, 2014 8:00 AM
> To: [email protected]
> Subject: Re: [Discuss] 3.6.0 Release
>
> I'll see about committing that today; I've had to reorganize it quite 
> a bit after the Big Config Refactor.
>
> Joe, I'm pretty certain that your code is still in master, but 
> definitely add those tests to make sure, and to make sure we don't regress.
>
> Ian
>
>
> On Mon, Aug 11, 2014 at 10:52 AM, Marcel Kinard <[email protected]>
> wrote:
>
> > I agree with Joe.
> >
> > On Aug 11, 2014, at 10:02 AM, Joe Bowser <[email protected]> wrote:
> >
> > > Let's not release until the new whitelist is figured out.  That 
> > > feature
> > is
> > > too important.
> >
>

Reply via email to