You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by GitBox <gi...@apache.org> on 2020/04/07 13:22:46 UTC
[GitHub] [cordova-plugin-whitelist] breautek commented on issue #53:
JavaScript Interface
breautek commented on issue #53: JavaScript Interface
URL: https://github.com/apache/cordova-plugin-whitelist/issues/53#issuecomment-610383606
I'm a little concerned about adding these APIs because having the ability to modify these during runtime I think will undermine the entire point of having a whitelist API.
To summarise, the whitelist API protects your app by restricting javascript code that runs in your app from communicating with external servers unless you otherwise explicitly state so. Realistically this would probably never happen within your own code base, so this is more-or-less a line of defence if somehow your code base became compromised by reducing the potential attack vector by mitigating what malicious code can do.
Should malicious code find its way into your codebase, they may be able to use device APIs and gain information, with a properly configured whitelist plugin, (hopefully) that is all they'll be able to do. They wouldn't be able to export that information to a remote server of their choosing. So by adding those APIs, you provide the tools required to bypass the intention of this plugin, which is to mitigate damage.
Another feature that is similar to this plugin, but implemented at the browser level is the [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). Which is also intended to mitigate XSS attacks and you cannot modify these policies during runtime either. They get parsed either from the HTTP header, or from the `meta` tag on load and do not get re-evaluated again during the lifetime of that page.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org