[GitHub] cordova-docs pull request #732: CB-13284: Slackin.js on docs fails to load d...
GitHub user devgeeks opened a pull request: https://github.com/apache/cordova-docs/pull/732 CB-13284: Slackin.js on docs fails to load due to insecure response ### Platforms affected Docs ### What does this PR do? Changed location of slackin.js to https://slack-cordova-io.herokuapp.com to match the TLS certificate ### What testing has been done on this change? Manual testing ### Checklist - [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA database - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB- is the JIRA ID & "android" is the platform affected. - [ ] Added automated test coverage as appropriate for this change. You can merge this pull request into a Git repository by running: $ git pull https://github.com/devgeeks/cordova-docs CB-13284 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-docs/pull/732.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #732 commit 4ca39eb1cbe3ec0926f522d59c9f256eb7f00947 Author: tommy-carlos williams <to...@devgeeks.org> Date: 2017-09-17T23:31:39Z [CB-13284] Slack js on cordova-docs fails to load due to insecure response Changed location of slackin.js to https://slack-cordova-io.herokuapp.com to match the TLS certificate --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-docs pull request #731: [CB-13283] Fetching of download counts fails...
GitHub user devgeeks opened a pull request: https://github.com/apache/cordova-docs/pull/731 [CB-13283] Fetching of download counts fails on plugins.cordova.io ### Platforms affected Docs ### What does this PR do? Just before fetching the download counts from npmjs, this filters plugins based on name, removing scoped packages. This allows the bulk search to go ahead for the remaining packages. ### What testing has been done on this change? Manual testing ### Checklist - [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA database - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB- is the JIRA ID & "android" is the platform affected. - [ ] Added automated test coverage as appropriate for this change. You can merge this pull request into a Git repository by running: $ git pull https://github.com/devgeeks/cordova-docs CB-13283 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-docs/pull/731.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #731 commit a544802addf70b07c7c38dd4e1078ae149370f3f Author: tommy-carlos williams <to...@devgeeks.org> Date: 2017-09-15T01:22:08Z [CB-13283] Fetching of download counts fails on plugins.cordova.io Filtered plugins based on name, removing scoped packages. This allows the bulk search to go ahead for the remaining packages. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-docs pull request #728: CB-13025 Remove use of React in plugins.cord...
GitHub user devgeeks opened a pull request: https://github.com/apache/cordova-docs/pull/728 CB-13025 Remove use of React in plugins.cordova.io ### Platforms affected Docs ### What does this PR do? Switches https://plugins.cordova.io from React to Preact to comply with Apache Legal. - uses `preact-compat` for API compatibility (tried to make the smallest changes possible) - uses `babel` via `babelify` instead of the deprecated `reactify` to transform the JSX - no longer re-renders the entire app when filtering by platforms or sorting has changed ### What testing has been done on this change? ### Checklist - [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA database - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB- is the JIRA ID & "android" is the platform affected. - [ ] Added automated test coverage as appropriate for this change. You can merge this pull request into a Git repository by running: $ git pull https://github.com/devgeeks/cordova-docs CB-13025 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-docs/pull/728.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #728 commit adf96528f7f4b57ecae40b98d61c14aeff93d0b8 Author: tommy-carlos williams <to...@devgeeks.org> Date: 2017-09-12T23:47:41Z CB-13025 Remove use of React in plugins.cordova.io Switched to Preact - uses `preact-compat` for API compatibility (tried to make the smallest changes possible) - uses `babel` via `babelify` instead of the deprecated `reactify` to transform the JSX - no longer re-renders the entire app when filtering by platforms or sorting has changed --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-docs pull request #703: CB-12770: revise security documentation
Github user devgeeks commented on a diff in the pull request: https://github.com/apache/cordova-docs/pull/703#discussion_r117873777 --- Diff: www/docs/en/dev/guide/appdev/security/index.md --- @@ -27,69 +27,155 @@ description: Information and tips for building a secure application. The following guide includes some security best practices that you should consider when developing a Cordova application. Please be aware that security is a very complicated topic and therefore this guide is not exhaustive. If you believe you can contribute to this guide, please feel free to file an issue in Cordova's bug tracker under ["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407). This guide is designed to be applicable to general Cordova development (all platforms) but special platform-specific considerations will be noted. ## This guide discusses the following topics: + +* General Tips +* Plugins and Security +* Content Security Policy * Whitelist -* Iframes and the Callback Id Mechanism * Certificate Pinning * Self-signed Certificates +* Wrapping external sites and hot code push * Encrypted storage -* General Tips * Recommended Articles and Other Resources +## General Tips + +### Use InAppBrowser for outside links + +Use the InAppBrowser when opening links to any outside website. This is much safer than whitelisting a domain name and including the content directly in your application because the InAppBrowser will use the native browser's security features and will not give the website access to your Cordova environment. Even if you trust the third party website and include it directly in your application, that third party website could link to malicious web content. + +### Validate all user input + +Always validate any and all input that your application accepts. This includes usernames, passwords, dates, uploaded media, etc. Because an attacker could manipulate your HTML and JS assets (either by decompiling your application or using debugging tools like `chrome://inspect`), this validation should also be performed on your server, especially before handing the data off to any backend service. + +> **Tip**: Other sources where data should be validated: user documents, contacts, push notifications + +### Do not cache sensitive data + +If usernames, password, geolocation information, and other sensitive data is cached, then it could potentially be retrieved later by an unauthorized user or application. + +### Don't use eval() + +The JavaScript function eval() has a long history of being abused. Using it incorrectly can open your code up for injection attacks, debugging difficulties, and slower code execution. + +### Do not assume that your source code is secure + +Since a Cordova application is built from HTML and JavaScript assets that get packaged in a native container, you should not consider your code to be secure. It is possible to reverse engineer a Cordova application. + +A sampling of what you should not include in your code: + +* Authentication information (usernames, passwords, keys, etc.) +* Encryption keys +* Trade secrets + +### Do not assume storage containers are secure + +Even if a device itself is encrypted, if someone has access to the device and can unlock it, you should not assume that data stored in various formats and containers is safe. Even SQLite databases are easily human readable once access is gained. + +As long as you're storing non-sensitive information, this isn't a big deal. But if you were storing passwords, keys, and other sensitive information, the data could be easily extracted, and depending on what was stored, could be used against your app and remote servers. + +For example, on iOS, if you store data in `localStorage`, the data itself is easily readable to anyone who has access to the device. This is because `localStorage` is backed by an unencrypted SQLite database. The underlying storage of the device may in fact be encrypted (and so it would be inaccessible while the device is locked), but once the device decrypts the file, the contents themselves are mostly in the clear. As such, the contents of `localStorage` can be easily read and even changed. + +## Plugins and Security + +Due to the way the native portion of Cordova communicates with your web code, it is possible for any code executing within the main webview context to communicate with any installed plugins. This means that you should _never_ permit untrusted content within the primary webview. This can include third-party advertisements, sites within an `iframe`, and even content injected via `innerHTML`. + +If you must inject content into the primary webview, be certain that
[GitHub] cordova-docs pull request #703: CB-12770: revise security documentation
Github user devgeeks commented on a diff in the pull request: https://github.com/apache/cordova-docs/pull/703#discussion_r117873392 --- Diff: www/docs/en/dev/guide/appdev/security/index.md --- @@ -27,69 +27,155 @@ description: Information and tips for building a secure application. The following guide includes some security best practices that you should consider when developing a Cordova application. Please be aware that security is a very complicated topic and therefore this guide is not exhaustive. If you believe you can contribute to this guide, please feel free to file an issue in Cordova's bug tracker under ["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407). This guide is designed to be applicable to general Cordova development (all platforms) but special platform-specific considerations will be noted. ## This guide discusses the following topics: + +* General Tips +* Plugins and Security +* Content Security Policy * Whitelist -* Iframes and the Callback Id Mechanism * Certificate Pinning * Self-signed Certificates +* Wrapping external sites and hot code push * Encrypted storage -* General Tips * Recommended Articles and Other Resources +## General Tips + +### Use InAppBrowser for outside links + +Use the InAppBrowser when opening links to any outside website. This is much safer than whitelisting a domain name and including the content directly in your application because the InAppBrowser will use the native browser's security features and will not give the website access to your Cordova environment. Even if you trust the third party website and include it directly in your application, that third party website could link to malicious web content. + +### Validate all user input + +Always validate any and all input that your application accepts. This includes usernames, passwords, dates, uploaded media, etc. Because an attacker could manipulate your HTML and JS assets (either by decompiling your application or using debugging tools like `chrome://inspect`), this validation should also be performed on your server, especially before handing the data off to any backend service. + +> **Tip**: Other sources where data should be validated: user documents, contacts, push notifications + +### Do not cache sensitive data + +If usernames, password, geolocation information, and other sensitive data is cached, then it could potentially be retrieved later by an unauthorized user or application. --- End diff -- "Stored" is a better choice. i.e.: `localStorage`, sqlite, etc. As for the threat model, mostly device-in-hand, but also XSS. If the user Jailbreaks or Roots... the horse has bolted... not sure there is any way to protect that, heh. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-plugin-inappbrowser pull request: Added FLAG_SECURE suppor...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-plugin-inappbrowser/pull/164#issuecomment-215812203 +1 for option. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-plugin-inappbrowser pull request: Added FLAG_SECURE suppor...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-plugin-inappbrowser/pull/164#issuecomment-215697044 Well, it certainly works as advertised with the PrivacyScreenPlugin, anyway. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-plugin-inappbrowser pull request: Added FLAG_SECURE suppor...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-plugin-inappbrowser/pull/164#issuecomment-215685335 Nice, I'll try to have a look at this as well. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-docs pull request: CB-10996 Updating docs index page to ma...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-docs/pull/575#issuecomment-208684628 Looks nice --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-cli pull request: Simplify cordova CLI readme
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-cli/pull/240#issuecomment-196574142 The help from the CLI itself only says: ``` --template=<PATH|NPM PACKAGE|GIT URL> ... use a custom template located locally, in NPM, or GitHub. ``` Maybe a small bit in the CLI docs about templates would expose the feature a bit more? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-app-hello-world pull request: CB-10522: Event binding in H...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-app-hello-world/pull/15#issuecomment-184856505 LGTM. That third layer of binding always seemed confusing. :+1: --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-ios pull request: CB-9690 Can't submit iPad apps to the Ap...
Github user devgeeks commented on the pull request: https://github.com/apache/cordova-ios/pull/167#issuecomment-142491934 Doesn't that completely opt out of "Slide Over and Split View" ? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-android pull request: CB-9496 removed permissions added fo...
GitHub user devgeeks opened a pull request: https://github.com/apache/cordova-android/pull/206 CB-9496 removed permissions added for crosswalk These would better live in the actual crosswalk plugin https://github.com/crosswalk-project/cordova-plugin-crosswalk-webview I have also submitted a PR to that repo adding them to its `plugin.xml` https://github.com/crosswalk-project/cordova-plugin-crosswalk-webview/pull/43 You can merge this pull request into a Git repository by running: $ git pull https://github.com/devgeeks/cordova-android CB-9496 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-android/pull/206.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #206 commit 042702017a1de93a164bd0701786d7e88115064f Author: Tommy-Carlos Williams to...@devgeeks.org Date: 2015-08-17T00:17:29Z CB-9496 removed permissions added for crosswalk These would better live in the actual crosswalk plugin https://github.com/crosswalk-project/cordova-plugin-crosswalk-webview I will also submit a PR to that repo adding them to its `plugin.xml` --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org