+1 CSP wins, otherwise we give false sense of security if not done consistently
On Mon, Jul 20, 2015 at 9:32 PM Ian Clelland <[email protected]> wrote: > +1 to CSP as the "right way to do it". > > This all sounds very similar to what we ended up doing with the Android > whitelist plugins: Default is (ugh) *, and the strong recommendation is to > use CSP to actually filter requests from the WebView. > > On Mon, Jul 20, 2015 at 7:24 PM, Shazron <[email protected]> wrote: > > > Ah I forgot about the legacy whitelist plugin -- we can't remove the > > whitelist totally then, but as you said "default > > the new whitelist plugin to a 'wildcard' network request list until the > > user adds any entries". > > > > That will preserve backwards compat. > > > > On Mon, Jul 20, 2015 at 4:18 PM, Treggiari, Leo <[email protected] > > > > wrote: > > > > > I assume this is for the new whitelist plugin as opposed to the legacy > > > whitelist plugin which will continue to use the current <access> tags. > > > > > > Another alternative, but not necessarily better, would be to default > > > the new whitelist plugin to a 'wildcard' network request list until the > > > user adds any entries. When they add an entry the default wildcard > > > entry is replaced. > > > > > > Leo > > > > > > -----Original Message----- > > > From: Shazron [mailto:[email protected]] > > > Sent: Monday, July 20, 2015 3:45 PM > > > To: [email protected] > > > Subject: Re: [iOS] proposed major whitelist change > > > > > > 1. "If a user is using CSP can we tell them to specify a single '*' > entry > > > for the network request whitelist (a.k.a. <access> tags)?" > > > We could. But comes back to my point, why recommend *two* ways, it's > just > > > confusing -- especially if we recommend CSP and require an <access> > > > wildcard. What I'm proposing is a permanent, unchangeable access > wildcard > > > effectively. > > > > > > 2. "If they are not using CSP, in spite of our recommendation, do the > > > <access> tags provide an alternative, though inferior solution?" > > > Yes, <access> is definitely inferior. > > > > > > > > > On Mon, Jul 20, 2015 at 3:36 PM, Treggiari, Leo < > [email protected] > > > > > > wrote: > > > > > > > I'm not certain that this makes sense, but anyway... > > > > > > > > If a user is using CSP can we tell them to specify a single '*' entry > > for > > > > the network request whitelist (a.k.a. <access> tags)? > > > > If they are not using CSP, in spite of our recommendation, do the > > > > <access> tags provide an alternative, though inferior solution? > > > > > > > > And, is this different for the Android platform which already > supports > > > the > > > > new whitelist plugin? > > > > > > > > Thanks, > > > > Leo > > > > > > > > -----Original Message----- > > > > From: Shazron [mailto:[email protected]] > > > > Sent: Monday, July 20, 2015 3:24 PM > > > > To: [email protected] > > > > Subject: [iOS] proposed major whitelist change > > > > > > > > https://github.com/apache/cordova-plugin-whitelist > > > > > > > > Previously, the initial implementation for the plugin for iOS didn't > > > > support the <access> tag, but that proved problematic since not > > > supporting > > > > it meant all *native* code network connections were effectively > > > > blacklisted. > > > > > > > > I added the support back in, but this will end up confusing the user > > even > > > > more. Right now we are recommending that the user support CSP, but > that > > > > only works in the context of the WebView (whether UIWebView or > > > WKWebView) - > > > > ie xhr, images, etc. > > > > > > > > If the user specified a CSP src for access to a domain in their > .html, > > > but > > > > did not specify an <access> tag for that domain, the connection will > > fail > > > > (since the native code whitelist filters all network connections). So > > > this > > > > in effect doubles the number of declarations needed -- a CSP policy > > needs > > > > to have its mirror in the <access> tag. You can see where this can > get > > > > confusing. > > > > > > > > We could have a dynamic CSP parser in native code to dynamically > > > "generate" > > > > access tags but that will add on more complexity (but this would be > > best > > > > workaround). > > > > > > > > I propose that we get rid of the native code whitelist (effectively > > > > allowing all connections) and rely on CSP only. I'm not sure that > > > having a > > > > native code whitelist can really be truly secure, with the dynamic > > nature > > > > of Objective-C this is just a façade anyway. > > > > > > > > In any case, native code whitelisting will only work on UIWebView, > > there > > > is > > > > no way our current whitelisting system will work on WKWebView at all > -- > > > > more fodder for us to abandon our whitelisting system. > > > > > > > > The whitelisting should really be handled lower level by the system, > > and > > > > indeed this is coming in iOS 9 with Application Transport Security > > (ATS): > > > > > > > > > > > > > > https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html#//apple_ref/doc/uid/TP40016240 > > > > > > > > The ATS whitelisting is through new tags in Info.plist, and we will > > have > > > to > > > > map our existing whitelist tags to ATS when the time comes. > > > > > > > > > >
