dpogue commented on code in PR #102:
URL:
https://github.com/apache/cordova-app-hello-world/pull/102#discussion_r3249968925
##########
template_src/www/index.html:
##########
@@ -19,31 +19,61 @@
-->
<html>
<head>
+ <!-- Use UTF-8 so text and symbols render consistently across devices.
-->
<meta charset="utf-8">
<!--
- Customize this policy to fit your own app's needs. For more guidance,
please refer to the docs:
- https://cordova.apache.org/docs/en/latest/
- Some notes:
- * https://ssl.gstatic.com is required only on Android and is
needed for TalkBack to function properly
- * Disables use of inline scripts in order to mitigate risk of XSS
vulnerabilities. To change this:
- * Enable inline JS: add 'unsafe-inline' to default-src
+ Content Security Policy (CSP) is an added layer of security that
helps to detect
+ and mitigate certain types of attacks, including Cross Site
Scripting (XSS) and
+ data injection attacks. Customize this policy to fit your own
app's needs.
+ For more guidance, please refer to the docs:
+
https://cordova.apache.org/docs/en/latest/guide/appdev/allowlist/index.html#content-security-policy-csp
+ Some notes:
+ * https://ssl.gstatic.com is required only on Android and is
needed for TalkBack to function properly
+ * Inline scripts are disabled by default, which means <script>
tags and HTML event attributes
+ like onclick="" will not work, to mitigate risk of XSS
vulnerabilities.
+ To change this add 'unsafe-inline' to default-src.
+ -->
+ <meta http-equiv="Content-Security-Policy" content="
+ default-src 'self' data: https://ssl.gstatic.com 'unsafe-eval';
+ style-src 'self' 'unsafe-inline';
+ media-src *;
+ img-src 'self' data: content:;
+ ">
+ <!--
+ Turn off phone number detection to prevent automatic conversion of
phone numbers
+ into tappable links.
-->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'
data: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline';
media-src *; img-src 'self' data: content:;">
<meta name="format-detection" content="telephone=no">
- <meta name="msapplication-tap-highlight" content="no">
- <meta name="viewport" content="initial-scale=1, width=device-width,
viewport-fit=cover">
+ <!--
+ Configure the app viewport for a native-app feel:
+ - width=device-width: match the layout viewport to the device width
+ - initial/minimum/maximum-scale=1: keep the page at 1x scale
+ - user-scalable=no: disable pinch zoom
Review Comment:
Setting `maximum-scale` and `user-scalable` are considered bad practice for
accessibility reasons, and are ignored on iOS completely. We should avoid
baking bad practices into our standard template.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
