On the subject of no inline scripts or eval, this is used in the new v2 Chrome Apps too. It eliminates a wide spectrum of security risks at a stroke, though it does require changing some of the older web dev practices (onclick="whatever", primarily). If you're already attaching handlers using jQuery, or using something like AngularJS, this is no change.
Only loading scripts from inside the app package, I'm not sure. It eliminates the possibility of using a CDN, but the caching benefits of that are inferior to shipping the files in the bundle. Braden On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <[email protected]> wrote: > Ok, picking this up again. At the working group Fil it would be good > to give our feedback on the manifest as it has related to the Cordova > reality. > > I really dislike: > > - scripts can only be loaded from inside the app package > - no inline scripts, no eval > > I really like the idea of killing the whitelist feature.. > > > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <[email protected]> wrote: > > Thanks for the highlights Fil. Makes for easier reading! > > > > > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <[email protected]> wrote: > > > >> Highlights w.r.t. Cordova: > >> > >> 1. Application manifest JSON (yay!) [1]: > >> > >> 2. There is an Application interface now in charge of handling: > >> - pause/resume/launch/terminate events > >> - readonly parameters such as install time, origin, parameters, update > >> state (downloading, installing), package size > >> - methods such as exit, hide, uninstall, update (interesting!) > >> - related to update, the spec calls for the update firing > >> asynchronously, reporting back progress events to the app. metaaaa > >> 3. App Management interface, which is deemed as a "privileged" API, to > get > >> events about the (un)installation of other applications. > >> > >> Interesting "security" conclusions [2]: > >> > >> - scripts can only be loaded from inside the app package > >> - no inline scripts, no eval > >> - "Media (audio and video) can still be loaded from anywhere;" => this > >> should inform our media APIs once we get to the audit and finally > >> determine that the whitelist has no effect on media. This already > applies > >> to images on the web. > >> - "Network connections can still be opened anywhere using data-centric > >> APIs like XMLHttpRequest or WebSocket." => implication here is that the > >> whitelist is, really, useless (which has been my opinion always :D ) > >> > >> Related, I will be attending the SysApps Face to Face in madrid [3] next > >> month. If anyone from the Cordova community has specific issues that > they > >> would like to see addressed, let me know! > >> > >> [1] http://runtime.sysapps.org/#application-manifest > >> [2] http://runtime.sysapps.org/#csp-policy > >> [3] http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda > >> > >> On 3/18/13 9:03 AM, "Giorgio Natili" <[email protected]> wrote: > >> > >> >It should be followed (I have had a quick look) but it depends what > does > >> >it means from a development point of view. > >> >I mean that there is already a roadmap and that this draft should > impact a > >> >lot, so is up to the contributors trying to explain us how much effort > is > >> >required. > >> > > >> >Giorgio > >> > > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <[email protected]> wrote: > >> > > >> >>Have a look: http://runtime.sysapps.org/ > >> >> > >> >>What do we think? > >> > > >> > > >> > >> >
