GitToTheHub commented on code in PR #102:
URL:
https://github.com/apache/cordova-app-hello-world/pull/102#discussion_r3252795037
##########
template_src/www/index.html:
##########
@@ -19,31 +19,61 @@
-->
<html>
<head>
+ <!-- Use UTF-8 so text and symbols render consistently across devices.
-->
<meta charset="utf-8">
<!--
- Customize this policy to fit your own app's needs. For more guidance,
please refer to the docs:
- https://cordova.apache.org/docs/en/latest/
- Some notes:
- * https://ssl.gstatic.com is required only on Android and is
needed for TalkBack to function properly
- * Disables use of inline scripts in order to mitigate risk of XSS
vulnerabilities. To change this:
- * Enable inline JS: add 'unsafe-inline' to default-src
+ Content Security Policy (CSP) is an added layer of security that
helps to detect
+ and mitigate certain types of attacks, including Cross Site
Scripting (XSS) and
+ data injection attacks. Customize this policy to fit your own
app's needs.
+ For more guidance, please refer to the docs:
+
https://cordova.apache.org/docs/en/latest/guide/appdev/allowlist/index.html#content-security-policy-csp
+ Some notes:
+ * https://ssl.gstatic.com is required only on Android and is
needed for TalkBack to function properly
+ * Inline scripts are disabled by default, which means <script>
tags and HTML event attributes
+ like onclick="" will not work, to mitigate risk of XSS
vulnerabilities.
+ To change this add 'unsafe-inline' to default-src.
+ -->
+ <meta http-equiv="Content-Security-Policy" content="
+ default-src 'self' data: https://ssl.gstatic.com 'unsafe-eval';
+ style-src 'self' 'unsafe-inline';
+ media-src *;
+ img-src 'self' data: content:;
+ ">
+ <!--
+ Turn off phone number detection to prevent automatic conversion of
phone numbers
+ into tappable links.
-->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'
data: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline';
media-src *; img-src 'self' data: content:;">
<meta name="format-detection" content="telephone=no">
- <meta name="msapplication-tap-highlight" content="no">
- <meta name="viewport" content="initial-scale=1, width=device-width,
viewport-fit=cover">
+ <!--
+ Configure the app viewport for a native-app feel:
+ - width=device-width: match the layout viewport to the device width
+ - initial/minimum/maximum-scale=1: keep the page at 1x scale
+ - user-scalable=no: disable pinch zoom
Review Comment:
This is true, that we should avoid baking bad practices. But it's not true,
that `maximum-scale` and `user-scalable` are ignored by iOS. When avoiding
these directives the user can zoom in by pinch-to-zoom like on a web site. Also
the apps gets zoomed in, when tapping an input field like this:
| Input tapped | Initial load |
| --- | --- |
| <img width="250"
src="https://github.com/user-attachments/assets/0682fc79-df12-445b-9848-28f2e371f67d";
/> | <img width="250"
src="https://github.com/user-attachments/assets/957c3266-7eb9-4210-b8b0-79ed252f6562";
/> |
I tested this on an iOS 26.5 simulator. It feels wrong that the app gets
zoomed when an input field is tapped or the user can zoom-in by pinch-to-zoom.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
