Ah thanks for clarifying On 3/20/13 2:17 PM, "Andrew Lunny" <[email protected]> wrote:
>On 20 March 2013 13:54, Filip Maj <[email protected]> wrote: > >> Actually dude talks about CSP 1.1 supporting whitelisting of inline >> scripts ? >> > >The relevant bit in the CSP spec is: >http://www.w3.org/TR/CSP/#script-src > >tldr: servers can send CSPs (policies) that do allow inline scripts, but >the policy specified by sysapps[1] does not. > >[1] default-src *; script-src 'self'; object-src 'none'; style-src 'self' > > >> >> On 3/20/13 8:39 AM, "Andrew Grieve" <[email protected]> wrote: >> >> >This recent security talk talks about why inline scripts are on the way >> >out: >> >https://www.youtube.com/watch?feature=player_embedded&v=WljJ5guzcLs >> > >> >A good amount of the spec deals with application distribution, which is >> >out >> >of our hands when talking about App Stores. >> > >> >It uses a separate AppCache manifest to define what files are in the >> >bundle. Does this not imply that the whitelist is still in effect via >>the >> >Network: section of the AppCache manifest? >> > >> > >> > >> > >> > >> >On Wed, Mar 20, 2013 at 10:10 AM, Braden Shepherdson >> ><[email protected]>wrote: >> > >> >> On the subject of no inline scripts or eval, this is used in the new >>v2 >> >> Chrome Apps too. It eliminates a wide spectrum of security risks at a >> >> stroke, though it does require changing some of the older web dev >> >>practices >> >> (onclick="whatever", primarily). If you're already attaching handlers >> >>using >> >> jQuery, or using something like AngularJS, this is no change. >> >> >> >> Only loading scripts from inside the app package, I'm not sure. It >> >> eliminates the possibility of using a CDN, but the caching benefits >>of >> >>that >> >> are inferior to shipping the files in the bundle. >> >> >> >> Braden >> >> >> >> >> >> On Wed, Mar 20, 2013 at 6:46 AM, Brian LeRoux <[email protected]> wrote: >> >> >> >> > Ok, picking this up again. At the working group Fil it would be >>good >> >> > to give our feedback on the manifest as it has related to the >>Cordova >> >> > reality. >> >> > >> >> > I really dislike: >> >> > >> >> > - scripts can only be loaded from inside the app package >> >> > - no inline scripts, no eval >> >> > >> >> > I really like the idea of killing the whitelist feature.. >> >> > >> >> > >> >> > On Tue, Mar 19, 2013 at 7:06 AM, Michal Mocny <[email protected]> >> >> wrote: >> >> > > Thanks for the highlights Fil. Makes for easier reading! >> >> > > >> >> > > >> >> > > On Mon, Mar 18, 2013 at 5:21 PM, Filip Maj <[email protected]> wrote: >> >> > > >> >> > >> Highlights w.r.t. Cordova: >> >> > >> >> >> > >> 1. Application manifest JSON (yay!) [1]: >> >> > >> >> >> > >> 2. There is an Application interface now in charge of handling: >> >> > >> - pause/resume/launch/terminate events >> >> > >> - readonly parameters such as install time, origin, >>parameters, >> >> update >> >> > >> state (downloading, installing), package size >> >> > >> - methods such as exit, hide, uninstall, update (interesting!) >> >> > >> - related to update, the spec calls for the update firing >> >> > >> asynchronously, reporting back progress events to the app. >>metaaaa >> >> > >> 3. App Management interface, which is deemed as a "privileged" >> >>API, to >> >> > get >> >> > >> events about the (un)installation of other applications. >> >> > >> >> >> > >> Interesting "security" conclusions [2]: >> >> > >> >> >> > >> - scripts can only be loaded from inside the app package >> >> > >> - no inline scripts, no eval >> >> > >> - "Media (audio and video) can still be loaded from anywhere;" >>=> >> >>this >> >> > >> should inform our media APIs once we get to the audit and >>finally >> >> > >> determine that the whitelist has no effect on media. This >>already >> >> > applies >> >> > >> to images on the web. >> >> > >> - "Network connections can still be opened anywhere using >> >>data-centric >> >> > >> APIs like XMLHttpRequest or WebSocket." => implication here is >>that >> >> the >> >> > >> whitelist is, really, useless (which has been my opinion always >>:D >> >>) >> >> > >> >> >> > >> Related, I will be attending the SysApps Face to Face in madrid >>[3] >> >> next >> >> > >> month. If anyone from the Cordova community has specific issues >> >>that >> >> > they >> >> > >> would like to see addressed, let me know! >> >> > >> >> >> > >> [1] http://runtime.sysapps.org/#application-manifest >> >> > >> [2] http://runtime.sysapps.org/#csp-policy >> >> > >> [3] >> >> http://www.w3.org/wiki/System_Applications:_1st_F2F_Meeting_Agenda >> >> > >> >> >> > >> On 3/18/13 9:03 AM, "Giorgio Natili" <[email protected]> >> wrote: >> >> > >> >> >> > >> >It should be followed (I have had a quick look) but it depends >> >>what >> >> > does >> >> > >> >it means from a development point of view. >> >> > >> >I mean that there is already a roadmap and that this draft >>should >> >> > impact a >> >> > >> >lot, so is up to the contributors trying to explain us how much >> >> effort >> >> > is >> >> > >> >required. >> >> > >> > >> >> > >> >Giorgio >> >> > >> > >> >> > >> >On 3/18/13 8:02 AM, "Brian LeRoux" <[email protected]> wrote: >> >> > >> > >> >> > >> >>Have a look: http://runtime.sysapps.org/ >> >> > >> >> >> >> > >> >>What do we think? >> >> > >> > >> >> > >> > >> >> > >> >> >> > >> >> >> > >> >> >> >>
