Nightly build #353 for cordova has succeeded!

[Apache Jenkins Server]

Nightly build #353 for cordova has succeeded!
The latest nightly has been published and you can try it out with 'npm i -g 
cordova@nightly'

For details check build console at 
https://builds.apache.org/job/cordova-nightly/353/consoleFull

-
Jenkins for Apache Cordova

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-ios pull request #311: CB-12847: added `bugs` entry to package.json.

[filmaj]

GitHub user filmaj opened a pull request:

https://github.com/apache/cordova-ios/pull/311

CB-12847: added `bugs` entry to package.json.

### What does this PR do?

Adds a bugs entry to the package.json.

### What testing has been done on this change?

None.

### Checklist
- [X] Issue reported: 
[CB-12847](https://issues.apache.org/jira/browse/CB-12847)
- [X] Commit message follows the format: "CB-3232: (android) Fix bug with 
resolving file paths", where CB- is the JIRA ID & "android" is the platform 
affected.
- [ ] Added automated test coverage as appropriate for this change.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/filmaj/cordova-ios bugs

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cordova-ios/pull/311.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #311


commit 351dc563b4d3dff10820875945f575b93a782446
Author: filmaj 
Date:   2017-05-23T23:19:27Z

CB-12847: added `bugs` entry to package.json.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-android issue #380: Upgrade build jdk from 6 to 7

[filmaj]

Github user filmaj commented on the issue:

https://github.com/apache/cordova-android/pull/380
  
Is a Java upgrade required?

If so, then we should also update the [README's requirements 
section](https://github.com/apache/cordova-android/blob/master/README.md#requires).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-browser pull request #29: CB-12847: added `bugs` entry to package.js...

[filmaj]

GitHub user filmaj opened a pull request:

https://github.com/apache/cordova-browser/pull/29

CB-12847: added `bugs` entry to package.json.

### What does this PR do?

Adds a bugs entry to the package.json.

### What testing has been done on this change?

None.

### Checklist
- [X] Issue reported: 
[CB-12847](https://issues.apache.org/jira/browse/CB-12847)
- [X] Commit message follows the format: "CB-3232: (android) Fix bug with 
resolving file paths", where CB- is the JIRA ID & "android" is the platform 
affected.
- [ ] Added automated test coverage as appropriate for this change.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/filmaj/cordova-browser bugs

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cordova-browser/pull/29.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #29


commit 84dbb724f31cf08dee8f6e243f75f68aac20cdae
Author: filmaj 
Date:   2017-05-23T23:09:27Z

CB-12847: added `bugs` entry to package.json.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-android pull request #381: CB-12847: added `bugs` entry to package.j...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cordova-android/pull/381


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-android issue #381: CB-12847: added `bugs` entry to package.json.

[codecov-io]

Github user codecov-io commented on the issue:

https://github.com/apache/cordova-android/pull/381
  
# 
[Codecov](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=h1) 
Report
> Merging 
[#381](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=desc) 
into 
[master](https://codecov.io/gh/apache/cordova-android/commit/d97250f9683518e255d30a4a13a6d3f01dbc9a9b?src=pr=desc)
 will **not change** coverage.
> The diff coverage is `n/a`.

[![Impacted file tree 
graph](https://codecov.io/gh/apache/cordova-android/pull/381/graphs/tree.svg?height=150=pr=q14nMf6C5a=650)](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=tree)

```diff
@@   Coverage Diff   @@
##   master #381   +/-   ##
===
  Coverage   39.52%   39.52%   
===
  Files  16   16   
  Lines1551 1551   
  Branches  277  277   
===
  Hits  613  613   
  Misses938  938
```



--

[Continue to review full report at 
Codecov](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=continue).
> **Legend** - [Click here to learn 
more](https://docs.codecov.io/docs/codecov-delta)
> `Δ = absolute  (impact)`, `ø = not affected`, `? = missing 
data`
> Powered by 
[Codecov](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=footer).
 Last update 
[d97250f...f396712](https://codecov.io/gh/apache/cordova-android/pull/381?src=pr=lastupdated).
 Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments).



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-android pull request #381: CB-12847: added `bugs` entry to package.j...

[filmaj]

GitHub user filmaj opened a pull request:

https://github.com/apache/cordova-android/pull/381

CB-12847: added `bugs` entry to package.json.

### What does this PR do?

Adds a `bugs` entry to package.json to properly link up

### What testing has been done on this change?

None. CI, do your thing.

### Checklist
- [x] Reported an issue: 
[CB-12847](https://issues.apache.org/jira/browse/CB-12847)
- [x] Commit message follows the format: "CB-3232: (android) Fix bug with 
resolving file paths", where CB- is the JIRA ID & "android" is the platform 
affected.
- [ ] Added automated test coverage as appropriate for this change.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/filmaj/cordova-android bugs

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cordova-android/pull/381.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #381


commit f396712f59a515dadd1f48d80104dee6a770360e
Author: filmaj 
Date:   2017-05-23T22:54:03Z

CB-12847: added `bugs` entry to package.json.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-splashscreen issue #126: On Android 7 not work

[jcesarmobile]

Github user jcesarmobile commented on the issue:

https://github.com/apache/cordova-plugin-splashscreen/pull/126
  
@filmaj I know, I've done it a few times, but I like to wait a few days 
because if the user closes it, we have less empty commits 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-file issue #204: how to create a folder in IOS

[filmaj]

Github user filmaj commented on the issue:

https://github.com/apache/cordova-plugin-file/pull/204
  
This is not the place to file issue reports. Please do so over at 
issues.cordova.io. Thanks!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-file pull request #204: how to create a folder in IOS

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cordova-plugin-file/pull/204


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-test-framework issue #24: Add important build step about pack...

[filmaj]

Github user filmaj commented on the issue:

https://github.com/apache/cordova-plugin-test-framework/pull/24
  
Ooo, also, could this PR be issued against the master branch? Next time we 
do a patch release, we will ensure to pull this commit from master into the 
release branch anyways.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-test-framework pull request #24: Add important build step abo...

[filmaj]

Github user filmaj commented on a diff in the pull request:


https://github.com/apache/cordova-plugin-test-framework/pull/24#discussion_r118083583
  
--- Diff: README.md ---
@@ -63,6 +64,8 @@ For example, the `cordova-plugin-device` plugin has this 
nested [`plugin.xml`](h
 
 The `cordova-plugin-test-framework` plugin will automatically find all 
`tests` modules across all plugins for which the nested tests plugin is 
installed.
 
+> **Important:** Inside your project's `tests/` folder you also have to 
create a `package.json`. See the [`package.json` of the 
`cordova-plugin-device`](https://github.com/apache/cordova-plugin-device/blob/736c7b9dfdfa25a924ffc3d1e409450633a8c00f/tests/package.json)
 for an example.
--- End diff --

Ah yes, good point. Could I suggest, however, that we reword this a bit and 
move the paragraph up above the previous "...will automatically find all 
`tests` modules" paragraph?

In particular, I would structure this paragraph just like the first 
paragraph in the section, in a similar, instruction-providing way. Explaining 
_why_ this needs to be done would be a nice touch, too - it would help users 
understand the intentions behind each requirement. In particular, the latest 
version of the tools ensure to run `npm install` on any plugin added to a 
project, to ensure to pull in any dependencies. Therefore, plugin authors can 
now put npm dependencies around their tests into the `package.json` file.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-splashscreen issue #126: On Android 7 not work

[filmaj]

Github user filmaj commented on the issue:

https://github.com/apache/cordova-plugin-splashscreen/pull/126
  
FYI @jcesarmobile I usually close these kinds of fake PRs via:

```
git commit --allow-empty -m 'Close #126'
```

.. and pushing back up to master. Only way we can do it until Apache gives 
us more control over GitHub :/


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-plugin-splashscreen pull request #126: On Android 7 not work

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cordova-plugin-splashscreen/pull/126


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-docs pull request #703: CB-12770: revise security documentation

[piotrowski]

Github user piotrowski commented on a diff in the pull request:

https://github.com/apache/cordova-docs/pull/703#discussion_r118000396
  
--- Diff: www/docs/en/dev/guide/appdev/security/index.md ---
@@ -27,69 +27,155 @@ description: Information and tips for building a 
secure application.
 The following guide includes some security best practices that you should 
consider when developing a Cordova application. Please be aware that security 
is a very complicated topic and therefore this guide is not exhaustive. If you 
believe you can contribute to this guide, please feel free to file an issue in 
Cordova's bug tracker under 
["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407). 
 This guide is designed to be applicable to general Cordova development (all 
platforms) but special platform-specific considerations will be noted.
 
 ## This guide discusses the following topics:
+
+* General Tips
+* Plugins and Security
+* Content Security Policy
 * Whitelist
-* Iframes and the Callback Id Mechanism
 * Certificate Pinning
 * Self-signed Certificates
+* Wrapping external sites and hot code push
 * Encrypted storage
-* General Tips
 * Recommended Articles and Other Resources
 
+## General Tips
+
+### Use InAppBrowser for outside links
+
+Use the InAppBrowser when opening links to any outside website. This is 
much safer than whitelisting a domain name and including the content directly 
in your application because the InAppBrowser will use the native browser's 
security features and will not give the website access to your Cordova 
environment. Even if you trust the third party website and include it directly 
in your application, that third party website could link to malicious web 
content.
+
+### Validate all user input
+
+Always validate any and all input that your application accepts. This 
includes usernames, passwords, dates, uploaded media, etc. Because an attacker 
could manipulate your HTML and JS assets (either by decompiling your 
application or using debugging tools like `chrome://inspect`), this validation 
should also be performed on your server, especially before handing the data off 
to any backend service.
+
+> **Tip**: Other sources where data should be validated: user documents, 
contacts, push notifications
+
+### Do not cache sensitive data
+
+If usernames, password, geolocation information, and other sensitive data 
is cached, then it could potentially be retrieved later by an unauthorized user 
or application.
+
+### Don't use eval()
+
+The JavaScript function eval() has a long history of being abused. Using 
it incorrectly can open your code up for injection attacks, debugging 
difficulties, and slower code execution.
+
+### Do not assume that your source code is secure
+
+Since a Cordova application is built from HTML and JavaScript assets that 
get packaged in a native container, you should not consider your code to be 
secure. It is possible to reverse engineer a Cordova application.
+
+A sampling of what you should not include in your code:
+
+* Authentication information (usernames, passwords, keys, etc.)
+* Encryption keys
+* Trade secrets
+
+### Do not assume storage containers are secure
+
+Even if a device itself is encrypted, if someone has access to the device 
and can unlock it, you should not assume that data stored in various formats 
and containers is safe. Even SQLite databases are easily human readable once 
access is gained.
+
+As long as you're storing non-sensitive information, this isn't a big 
deal. But if you were storing passwords, keys, and other sensitive information, 
the data could be easily extracted, and depending on what was stored, could be 
used against your app and remote servers.
+
+For example, on iOS, if you store data in `localStorage`, the data itself 
is easily readable to anyone who has access to the device. This is because 
`localStorage` is backed by an unencrypted SQLite database. The underlying 
storage of the device may in fact be encrypted (and so it would be inaccessible 
while the device is locked), but once the device decrypts the file, the 
contents themselves are mostly in the clear. As such, the contents of 
`localStorage` can be easily read and even changed.
+
+## Plugins and Security
+
+Due to the way the native portion of Cordova communicates with your web 
code, it is possible for any code executing within the main webview context to 
communicate with any installed plugins. This means that you should _never_ 
permit untrusted content within the primary webview. This can include 
third-party advertisements, sites within an `iframe`, and even content injected 
via `innerHTML`.
+
+If you must inject content into the primary webview, be certain that it 
has been 

[GitHub] cordova-docs pull request #703: CB-12770: revise security documentation

[piotrowski]

Github user piotrowski commented on a diff in the pull request:

https://github.com/apache/cordova-docs/pull/703#discussion_r118000286
  
--- Diff: www/docs/en/dev/guide/appdev/security/index.md ---
@@ -27,69 +27,155 @@ description: Information and tips for building a 
secure application.
 The following guide includes some security best practices that you should 
consider when developing a Cordova application. Please be aware that security 
is a very complicated topic and therefore this guide is not exhaustive. If you 
believe you can contribute to this guide, please feel free to file an issue in 
Cordova's bug tracker under 
["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407). 
 This guide is designed to be applicable to general Cordova development (all 
platforms) but special platform-specific considerations will be noted.
 
 ## This guide discusses the following topics:
+
+* General Tips
+* Plugins and Security
+* Content Security Policy
 * Whitelist
-* Iframes and the Callback Id Mechanism
 * Certificate Pinning
 * Self-signed Certificates
+* Wrapping external sites and hot code push
 * Encrypted storage
-* General Tips
 * Recommended Articles and Other Resources
 
+## General Tips
+
+### Use InAppBrowser for outside links
+
+Use the InAppBrowser when opening links to any outside website. This is 
much safer than whitelisting a domain name and including the content directly 
in your application because the InAppBrowser will use the native browser's 
security features and will not give the website access to your Cordova 
environment. Even if you trust the third party website and include it directly 
in your application, that third party website could link to malicious web 
content.
+
+### Validate all user input
+
+Always validate any and all input that your application accepts. This 
includes usernames, passwords, dates, uploaded media, etc. Because an attacker 
could manipulate your HTML and JS assets (either by decompiling your 
application or using debugging tools like `chrome://inspect`), this validation 
should also be performed on your server, especially before handing the data off 
to any backend service.
+
+> **Tip**: Other sources where data should be validated: user documents, 
contacts, push notifications
+
+### Do not cache sensitive data
+
+If usernames, password, geolocation information, and other sensitive data 
is cached, then it could potentially be retrieved later by an unauthorized user 
or application.
+
+### Don't use eval()
+
+The JavaScript function eval() has a long history of being abused. Using 
it incorrectly can open your code up for injection attacks, debugging 
difficulties, and slower code execution.
+
+### Do not assume that your source code is secure
+
+Since a Cordova application is built from HTML and JavaScript assets that 
get packaged in a native container, you should not consider your code to be 
secure. It is possible to reverse engineer a Cordova application.
+
+A sampling of what you should not include in your code:
+
+* Authentication information (usernames, passwords, keys, etc.)
+* Encryption keys
+* Trade secrets
+
+### Do not assume storage containers are secure
+
+Even if a device itself is encrypted, if someone has access to the device 
and can unlock it, you should not assume that data stored in various formats 
and containers is safe. Even SQLite databases are easily human readable once 
access is gained.
+
+As long as you're storing non-sensitive information, this isn't a big 
deal. But if you were storing passwords, keys, and other sensitive information, 
the data could be easily extracted, and depending on what was stored, could be 
used against your app and remote servers.
+
+For example, on iOS, if you store data in `localStorage`, the data itself 
is easily readable to anyone who has access to the device. This is because 
`localStorage` is backed by an unencrypted SQLite database. The underlying 
storage of the device may in fact be encrypted (and so it would be inaccessible 
while the device is locked), but once the device decrypts the file, the 
contents themselves are mostly in the clear. As such, the contents of 
`localStorage` can be easily read and even changed.
+
+## Plugins and Security
+
+Due to the way the native portion of Cordova communicates with your web 
code, it is possible for any code executing within the main webview context to 
communicate with any installed plugins. This means that you should _never_ 
permit untrusted content within the primary webview. This can include 
third-party advertisements, sites within an `iframe`, and even content injected 
via `innerHTML`.
+
+If you must inject content into the primary webview, be certain that it 
has been 

[GitHub] cordova-docs pull request #703: CB-12770: revise security documentation

[piotrowski]

Github user piotrowski commented on a diff in the pull request:

https://github.com/apache/cordova-docs/pull/703#discussion_r117999300
  
--- Diff: www/docs/en/dev/guide/appdev/security/index.md ---
@@ -27,69 +27,155 @@ description: Information and tips for building a 
secure application.
 The following guide includes some security best practices that you should 
consider when developing a Cordova application. Please be aware that security 
is a very complicated topic and therefore this guide is not exhaustive. If you 
believe you can contribute to this guide, please feel free to file an issue in 
Cordova's bug tracker under 
["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407). 
 This guide is designed to be applicable to general Cordova development (all 
platforms) but special platform-specific considerations will be noted.
 
 ## This guide discusses the following topics:
+
+* General Tips
+* Plugins and Security
+* Content Security Policy
 * Whitelist
-* Iframes and the Callback Id Mechanism
 * Certificate Pinning
 * Self-signed Certificates
+* Wrapping external sites and hot code push
 * Encrypted storage
-* General Tips
 * Recommended Articles and Other Resources
 
+## General Tips
+
+### Use InAppBrowser for outside links
+
+Use the InAppBrowser when opening links to any outside website. This is 
much safer than whitelisting a domain name and including the content directly 
in your application because the InAppBrowser will use the native browser's 
security features and will not give the website access to your Cordova 
environment. Even if you trust the third party website and include it directly 
in your application, that third party website could link to malicious web 
content.
--- End diff --

Link to InAppBrowser would be great here


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org