You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ag...@apache.org on 2015/03/12 18:43:49 UTC

cordova-app-hello-world git commit: Another CSP comment tweak

Repository: cordova-app-hello-world
Updated Branches:
  refs/heads/master db672689d -> c7253f12a


Another CSP comment tweak


Project: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/commit/c7253f12
Tree: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/tree/c7253f12
Diff: http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/diff/c7253f12

Branch: refs/heads/master
Commit: c7253f12a6957b264252a4587426a0dbdb15d6fa
Parents: db67268
Author: Andrew Grieve <ag...@chromium.org>
Authored: Thu Mar 12 13:43:40 2015 -0400
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Thu Mar 12 13:43:40 2015 -0400

----------------------------------------------------------------------
 www/index.html | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-app-hello-world/blob/c7253f12/www/index.html
----------------------------------------------------------------------
diff --git a/www/index.html b/www/index.html
index c67c617..10dbeb6 100644
--- a/www/index.html
+++ b/www/index.html
@@ -25,8 +25,9 @@
         Some notes:
             * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
             * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
-            * To enable use of inline JS, add 'unsafe-inline' to default-src
-            * To enable use of eval(), add 'unsafe-eval' to default-src
+            * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
+                * Enable inline JS: add 'unsafe-inline' to default-src
+                * Enable eval(): add 'unsafe-eval' to default-src
         -->
         <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
         <meta name="format-detection" content="telephone=no">


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org