Ok, picking this up again. At the working group Fil it would be good to give our feedback on the manifest as it has related to the Cordova reality.
I really dislike: - scripts can only be loaded from inside the app package - no inline scripts, no eval I really like the idea of killing the whitelist feature.. On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <[email protected]> wrote: > Thanks for the highlights Fil. Makes for easier reading! > > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <[email protected]> wrote: > >> Highlights w.r.t. Cordova: >> >> 1. Application manifest JSON (yay!) [1]: >> >> 2. There is an Application interface now in charge of handling: >> - pause/resume/launch/terminate events >> - readonly parameters such as install time, origin, parameters, update >> state (downloading, installing), package size >> - methods such as exit, hide, uninstall, update (interesting!) >> - related to update, the spec calls for the update firing >> asynchronously, reporting back progress events to the app. metaaaa >> 3. App Management interface, which is deemed as a "privileged" API, to get >> events about the (un)installation of other applications. >> >> Interesting "security" conclusions [2]: >> >> - scripts can only be loaded from inside the app package >> - no inline scripts, no eval >> - "Media (audio and video) can still be loaded from anywhere;" => this >> should inform our media APIs once we get to the audit and finally >> determine that the whitelist has no effect on media. This already applies >> to images on the web. >> - "Network connections can still be opened anywhere using data-centric >> APIs like XMLHttpRequest or WebSocket." => implication here is that the >> whitelist is, really, useless (which has been my opinion always :D ) >> >> Related, I will be attending the SysApps Face to Face in madrid [3] next >> month. If anyone from the Cordova community has specific issues that they >> would like to see addressed, let me know! >> >> [1] http://runtime.sysapps.org/#application-manifest >> [2] http://runtime.sysapps.org/#csp-policy >> [3] http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda >> >> On 3/18/13 9:03 AM, "Giorgio Natili" <[email protected]> wrote: >> >> >It should be followed (I have had a quick look) but it depends what does >> >it means from a development point of view. >> >I mean that there is already a roadmap and that this draft should impact a >> >lot, so is up to the contributors trying to explain us how much effort is >> >required. >> > >> >Giorgio >> > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <[email protected]> wrote: >> > >> >>Have a look: http://runtime.sysapps.org/ >> >> >> >>What do we think? >> > >> > >> >>
