You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Frederik Braun <fb...@mozilla.com> on 2014/11/12 13:09:26 UTC
Suggestion: Warning about usage of patterns that conflict with the
Firefox OS CSP
Hi,
I am not very involved with Cordova, but as far as I understand, Cordova
Apps are allowed to use eval, inline scripts etc.
We do not allow this in Firefox OS [1] and I am concerned that it may
cause some friction when porting existing Cordova apps to Firefox OS and
then realizing that a lot of scripts needs rewriting to comply with our
Content Security Policy (CSP).
Is there anything we can do to remove this friction? My first intuition
would be some sort of warning that is emitted when building an app that
uses one of those patterns.
What do you think?
Thanks!
Frederik
[1]
https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Suggestion: Warning about usage of patterns that conflict with
the Firefox OS CSP
Posted by Ian Clelland <ic...@chromium.org>.
I'm not familiar enough with the FirefoxOS architecture, but on Android, we
had also considered the possibility of injecting a Content-Security-Policy
in the response header for the application's start page -- this would be
more secure, arguably, than a <meta> tag. The biggest problem is that that
trick only works on the initial page load; if you have a multi-page app,
then you don't get the chance to do that for subsequent pages, but that's
an android-specific limitation.
(It's something that we will be able to do soon for iOS, since it looks
like we're going to control the entire HTTP process.)
On Wed Nov 12 2014 at 8:54:23 AM Frederik Braun <fb...@mozilla.com> wrote:
> Response inline
>
> On 12.11.2014 14:35, Michal Mocny wrote:
> > We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> > the default template, or create a plugin that injects it automatically
> and
> > try to get developers to install that plugin.
> >
> > This has some benefits for security of cordova apps and has been brought
> up
> > on these lists in that context (very recently by Ian's whitelist ->
> plugin
> > thread).
> >
>
> Meta CSP is quite a nice idea, yet we're unfortunately lacking support
> in Firefox (and Firefox OS) so far
> (https://bugzilla.mozilla.org/show_bug.cgi?id=663570).
>
> I was thinking that some sort of early feedback (i.e. build step
> warning) could help avoiding these patterns when app developement has
> *just* started.
>
> > Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> > scripts automatically? (This issue applies to chrome apps, and vulcanize
> is
> > used to solve the problem with web component inline scripts).
> >
>
> That's an interesting suggestion, thanks!
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Suggestion: Warning about usage of patterns that conflict with
the Firefox OS CSP
Posted by Frederik Braun <fb...@mozilla.com>.
Response inline
On 12.11.2014 14:35, Michal Mocny wrote:
> We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> the default template, or create a plugin that injects it automatically and
> try to get developers to install that plugin.
>
> This has some benefits for security of cordova apps and has been brought up
> on these lists in that context (very recently by Ian's whitelist -> plugin
> thread).
>
Meta CSP is quite a nice idea, yet we're unfortunately lacking support
in Firefox (and Firefox OS) so far
(https://bugzilla.mozilla.org/show_bug.cgi?id=663570).
I was thinking that some sort of early feedback (i.e. build step
warning) could help avoiding these patterns when app developement has
*just* started.
> Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> scripts automatically? (This issue applies to chrome apps, and vulcanize is
> used to solve the problem with web component inline scripts).
>
That's an interesting suggestion, thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Suggestion: Warning about usage of patterns that conflict with
the Firefox OS CSP
Posted by Axel Nennker <ig...@gmail.com>.
vulcanize does not work when inline script depends on the order of the
scripts.
vulcanize just extracts all inline script and includes vulcanize.js at the
end of the html body
<script src="vulcanized.js"></script></body></html>
<script src="definesA.js"/>
<script>
var B = A;
</script>
<script src="usesB.js"/>
would not work because that becomes
<script src="definesA.js"/>
<script src="usesB.js"/> // ReferenceError B is not defined
<script src="vulcanize.js"/> // <script>var B = A;</script>
2014-11-12 14:35 GMT+01:00 Michal Mocny <mm...@chromium.org>:
> We could add <meta http-equiv="Content-Security-Policy" content=".."> to
> the default template, or create a plugin that injects it automatically and
> try to get developers to install that plugin.
>
> This has some benefits for security of cordova apps and has been brought up
> on these lists in that context (very recently by Ian's whitelist -> plugin
> thread).
>
> Finally, perhaps you can use the `vulcanize --csp` tool to externalize
> scripts automatically? (This issue applies to chrome apps, and vulcanize is
> used to solve the problem with web component inline scripts).
>
> -Michal
>
> On Wed, Nov 12, 2014 at 7:09 AM, Frederik Braun <fb...@mozilla.com>
> wrote:
>
> > Hi,
> >
> > I am not very involved with Cordova, but as far as I understand, Cordova
> > Apps are allowed to use eval, inline scripts etc.
> >
> > We do not allow this in Firefox OS [1] and I am concerned that it may
> > cause some friction when porting existing Cordova apps to Firefox OS and
> > then realizing that a lot of scripts needs rewriting to comply with our
> > Content Security Policy (CSP).
> >
> >
> > Is there anything we can do to remove this friction? My first intuition
> > would be some sort of warning that is emitted when building an app that
> > uses one of those patterns.
> >
> > What do you think?
> >
> >
> >
> > Thanks!
> > Frederik
> >
> > [1]
> >
> >
> https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
> >
>
Re: Suggestion: Warning about usage of patterns that conflict with
the Firefox OS CSP
Posted by Michal Mocny <mm...@chromium.org>.
We could add <meta http-equiv="Content-Security-Policy" content=".."> to
the default template, or create a plugin that injects it automatically and
try to get developers to install that plugin.
This has some benefits for security of cordova apps and has been brought up
on these lists in that context (very recently by Ian's whitelist -> plugin
thread).
Finally, perhaps you can use the `vulcanize --csp` tool to externalize
scripts automatically? (This issue applies to chrome apps, and vulcanize is
used to solve the problem with web component inline scripts).
-Michal
On Wed, Nov 12, 2014 at 7:09 AM, Frederik Braun <fb...@mozilla.com> wrote:
> Hi,
>
> I am not very involved with Cordova, but as far as I understand, Cordova
> Apps are allowed to use eval, inline scripts etc.
>
> We do not allow this in Firefox OS [1] and I am concerned that it may
> cause some friction when porting existing Cordova apps to Firefox OS and
> then realizing that a lot of scripts needs rewriting to comply with our
> Content Security Policy (CSP).
>
>
> Is there anything we can do to remove this friction? My first intuition
> would be some sort of warning that is emitted when building an app that
> uses one of those patterns.
>
> What do you think?
>
>
>
> Thanks!
> Frederik
>
> [1]
>
> https://developer.mozilla.org/en-US/Apps/Build/installable_apps_for_Firefox_OS/CSP
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>