You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ag...@apache.org on 2015/03/06 03:19:15 UTC
[1/2] cordova-plugins git commit: Rename url-policy -> whitelist
Repository: cordova-plugins
Updated Branches:
refs/heads/master 03de74861 -> 9e0db6c01
Rename url-policy -> whitelist
Project: http://git-wip-us.apache.org/repos/asf/cordova-plugins/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugins/commit/10d394d4
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugins/tree/10d394d4
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugins/diff/10d394d4
Branch: refs/heads/master
Commit: 10d394d47eea1a33723fb2c38c54fcd20f68d393
Parents: 03de748
Author: Andrew Grieve <ag...@chromium.org>
Authored: Thu Mar 5 15:32:36 2015 -0500
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Thu Mar 5 21:17:15 2015 -0500
----------------------------------------------------------------------
url-policy/README.md | 110 -------------
url-policy/plugin.xml | 48 ------
url-policy/src/android/UrlPolicyPlugin.java | 159 -------------------
.../src/ios/CDVNavigationWhitelistPlugin.h | 31 ----
.../src/ios/CDVNavigationWhitelistPlugin.m | 89 -----------
url-policy/url-policy.js | 27 ----
whitelist/README.md | 110 +++++++++++++
whitelist/plugin.xml | 48 ++++++
whitelist/src/android/WhitelistPlugin.java | 159 +++++++++++++++++++
.../src/ios/CDVNavigationWhitelistPlugin.h | 31 ++++
.../src/ios/CDVNavigationWhitelistPlugin.m | 89 +++++++++++
whitelist/whitelist.js | 27 ++++
12 files changed, 464 insertions(+), 464 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/README.md
----------------------------------------------------------------------
diff --git a/url-policy/README.md b/url-policy/README.md
deleted file mode 100644
index 2a2759b..0000000
--- a/url-policy/README.md
+++ /dev/null
@@ -1,110 +0,0 @@
-# cordova-plugin-url-policy
-
-This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0
-
-## Supported Cordova Platforms
-
-* Android 4.0.0 or above
-
-## Navigation Whitelist
-Controls which URLs the WebView itself can be navigated to. Applies to
-top-level navigations only.
-
-Quirks: on Android it also applies to iframes for non-http(s) schemes.
-
-By default, navigations only to `file://` URLs, are allowed. To allow other
-other URLs, you must add `<allow-navigation>` tags to your `config.xml`:
-
- <!-- Allow links to example.com -->
- <allow-navigation href="http://example.com/*" />
-
- <!-- Wildcards are allowed for the protocol, as a prefix
- to the host, or as a suffix to the path -->
- <allow-havigation href="*://*.example.com/*" />
-
- <!-- A wildcard can be used to whitelist the entire network,
- over HTTP and HTTPS.
- *NOT RECOMMENDED* -->
- <allow-navigation href="*" />
-
- <!-- The above is equivalent to these three declarations -->
- <allow-navigation href="http://*/*" />
- <allow-navigation href="https://*/*" />
- <allow-navigation href="data:*" />
-
-## Intent Whitelist
-Controls which URLs the app is allowed to ask the system to open.
-By default, no external URLs are allowed.
-
-On Android, this equates to sending an intent of type BROWSEABLE.
-
-This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`.
-
-In `config.xml`, add `<allow-intent>` tags, like this:
-
- <!-- Allow links to example.com to open in a browser -->
- <allow-intent href="http://example.com/*" />
-
- <!-- Wildcards are allowed for the protocol, as a prefix
- to the host, or as a suffix to the path -->
- <allow-intent href="*://*.example.com/*" />
-
- <!-- Allow SMS links to open messaging app -->
- <allow-intent href="sms:*" />
-
- <!-- Allow tel: links to open the dialer -->
- <allow-intent href="tel:*" />
-
- <!-- Allow geo: links to open maps -->
- <allow-intent href="geo:*" />
-
- <!-- Allow all unrecognized URLs to open installed apps
- *NOT RECOMMENDED* -->
- <allow-intent href="*" />
-
-## Network Request Whitelist
-Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).
-
-Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.
-
-In `config.xml`, add `<access>` tags, like this:
-
- <!-- Allow images, xhrs, etc. to google.com -->
- <access origin="http://google.com" />
- <access origin="https://google.com" />
-
- <!-- Access to the subdomain maps.google.com -->
- <access origin="http://maps.google.com" />
-
- <!-- Access to all the subdomains on google.com -->
- <access origin="http://*.google.com" />
-
- <!-- Enable requests to content: URLs -->
- <access origin="content:///*" />
-
- <!-- Don't block any requests -->
- <access origin="*" />
-
-Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default cordova application should include `<access origin="*">` by default.
-
-### Content Security Policy
-Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
-
-On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag on all of your pages.
-
-On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
-
-Here are some example CSP declarations for your `.html` pages:
-
- <!-- Allow requests to foo.com -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"/>
-
- <!-- Enable all requests, inline styles, and eval() -->
- <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval' "/>
-
- <!-- Allow XHRs via https only -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"/>
-
- <!-- Allow data: URLs within iframes -->
- <!-- Note: You would also need an <allow-navigation href="data:*" /> in your config.xml -->
- <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' data:"/>
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/plugin.xml
----------------------------------------------------------------------
diff --git a/url-policy/plugin.xml b/url-policy/plugin.xml
deleted file mode 100644
index f4ea071..0000000
--- a/url-policy/plugin.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-
-<plugin xmlns="http://apache.org/cordova/ns/plugins/1.0"
-xmlns:android="http://schemas.android.com/apk/res/android"
- id="org.apache.cordova.url-policy"
- version="0.0.1-dev">
- <name>Whitelist</name>
- <description>Cordova Network Whitelist Plugin</description>
- <license>Apache 2.0</license>
- <keywords>cordova,whitelist,policy</keywords>
-
- <engines>
- <engine name="cordova-android" version=">=4.0.0-dev" />
- </engines>
-
- <platform name="android">
- <config-file target="res/xml/config.xml" parent="/*">
- <feature name="UrlPolicy" >
- <param name="android-package" value="org.apache.cordova.urlpolicy.UrlPolicyPlugin"/>
- <param name="onload" value="true" />
- </feature>
- </config-file>
-
- <source-file src="src/android/UrlPolicyPlugin.java" target-dir="src/org/apache/cordova/urlpolicy" />
-
- <js-module src="url-policy.js" name="url-policy">
- <runs />
- </js-module>
- </platform>
-</plugin>
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/src/android/UrlPolicyPlugin.java
----------------------------------------------------------------------
diff --git a/url-policy/src/android/UrlPolicyPlugin.java b/url-policy/src/android/UrlPolicyPlugin.java
deleted file mode 100644
index 6715224..0000000
--- a/url-policy/src/android/UrlPolicyPlugin.java
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-*/
-
-package org.apache.cordova.urlpolicy;
-
-import org.apache.cordova.CordovaPlugin;
-import org.apache.cordova.ConfigXmlParser;
-import org.apache.cordova.Whitelist;
-
-import android.content.Context;
-import android.content.res.XmlResourceParser;
-import android.util.Log;
-
-public class UrlPolicyPlugin extends CordovaPlugin {
- private static final String LOG_TAG = "UrlPolicyPlugin";
- private Whitelist allowedNavigations;
- private Whitelist allowedIntents;
- private Whitelist allowedRequests;
-
- // Used when instantiated via reflection by PluginManager
- public UrlPolicyPlugin() {
- }
- // These can be used by embedders to allow Java-configuration of whitelists.
- public UrlPolicyPlugin(Context context) {
- this(new Whitelist(), new Whitelist(), null);
- new CustomConfigXmlParser().parse(context);
- }
- public UrlPolicyPlugin(XmlResourceParser xmlResourceParser) {
- this(new Whitelist(), new Whitelist(), null);
- new CustomConfigXmlParser().parse(xmlResourceParser);
- }
- public UrlPolicyPlugin(Whitelist allowedNavigations, Whitelist allowedIntents, Whitelist allowedRequests) {
- if (allowedRequests == null) {
- allowedRequests = new Whitelist();
- allowedRequests.addWhiteListEntry("file:///*", false);
- allowedRequests.addWhiteListEntry("data:*", false);
- }
- this.allowedNavigations = allowedNavigations;
- this.allowedIntents = allowedIntents;
- this.allowedRequests = allowedRequests;
- }
- @Override
- public void pluginInitialize() {
- if (allowedNavigations == null) {
- allowedNavigations = new Whitelist();
- allowedIntents = new Whitelist();
- allowedRequests = new Whitelist();
- new CustomConfigXmlParser().parse(webView.getContext());
- }
- }
-
- private class CustomConfigXmlParser extends ConfigXmlParser {
- public void handleStartTag(XmlResourceParser xml) {
- String strNode = xml.getName();
- if (strNode.equals("content")) {
- String startPage = xml.getAttributeValue(null, "src");
- allowedNavigations.addWhiteListEntry(startPage, false);
- } else if (strNode.equals("allow-navigation")) {
- String origin = xml.getAttributeValue(null, "href");
- if ("*".equals(origin)) {
- allowedNavigations.addWhiteListEntry("http://*/*", false);
- allowedNavigations.addWhiteListEntry("https://*/*", false);
- allowedNavigations.addWhiteListEntry("data:*", false);
- } else {
- allowedNavigations.addWhiteListEntry(origin, false);
- }
- } else if (strNode.equals("allow-intent")) {
- String origin = xml.getAttributeValue(null, "href");
- allowedIntents.addWhiteListEntry(origin, false);
- } else if (strNode.equals("access")) {
- String origin = xml.getAttributeValue(null, "origin");
- String subdomains = xml.getAttributeValue(null, "subdomains");
- boolean external = (xml.getAttributeValue(null, "launch-external") != null);
- if (origin != null) {
- if (external) {
- Log.w(LOG_TAG, "Found <access launch-external> within config.xml. Please use <allow-intent> instead.");
- allowedIntents.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
- } else {
- if ("*".equals(origin)) {
- allowedRequests.addWhiteListEntry("http://*/*", false);
- allowedRequests.addWhiteListEntry("https://*/*", false);
- } else {
- allowedRequests.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
- }
- }
- }
- }
- }
- public void handleEndTag(XmlResourceParser xml) {
- }
- }
-
- @Override
- public Boolean shouldAllowNavigation(String url) {
- if (allowedNavigations.isUrlWhiteListed(url)) {
- return true;
- }
- return null; // Default policy
- }
-
- @Override
- public Boolean shouldAllowRequest(String url) {
- if (Boolean.TRUE == shouldAllowNavigation(url)) {
- return true;
- }
- if (allowedRequests.isUrlWhiteListed(url)) {
- return true;
- }
- return null; // Default policy
- }
-
- @Override
- public Boolean shouldOpenExternalUrl(String url) {
- if (allowedIntents.isUrlWhiteListed(url)) {
- return true;
- }
- return null; // Default policy
- }
-
- public Whitelist getAllowedNavigations() {
- return allowedNavigations;
- }
-
- public void setAllowedNavigations(Whitelist allowedNavigations) {
- this.allowedNavigations = allowedNavigations;
- }
-
- public Whitelist getAllowedIntents() {
- return allowedIntents;
- }
-
- public void setAllowedIntents(Whitelist allowedIntents) {
- this.allowedIntents = allowedIntents;
- }
-
- public Whitelist getAllowedRequests() {
- return allowedRequests;
- }
-
- public void setAllowedRequests(Whitelist allowedRequests) {
- this.allowedRequests = allowedRequests;
- }
-}
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/src/ios/CDVNavigationWhitelistPlugin.h
----------------------------------------------------------------------
diff --git a/url-policy/src/ios/CDVNavigationWhitelistPlugin.h b/url-policy/src/ios/CDVNavigationWhitelistPlugin.h
deleted file mode 100644
index d0b9365..0000000
--- a/url-policy/src/ios/CDVNavigationWhitelistPlugin.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- */
-
-#import <UIKit/UIKit.h>
-#import <Cordova/CDVPlugin.h>
-#import <Cordova/CDVWhitelist.h>
-
-@interface CDVNavigationWhitelistPlugin : CDVPlugin {}
-
-@property (nonatomic, readonly, strong) CDVWhitelist* whitelist; // readonly for public
-
-- (BOOL)shouldAllowNavigationToURL:(NSURL *)url;
-- (BOOL)shouldAllowRequestForURL:(NSURL *)url;
-
-@end
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/src/ios/CDVNavigationWhitelistPlugin.m
----------------------------------------------------------------------
diff --git a/url-policy/src/ios/CDVNavigationWhitelistPlugin.m b/url-policy/src/ios/CDVNavigationWhitelistPlugin.m
deleted file mode 100644
index 5895e89..0000000
--- a/url-policy/src/ios/CDVNavigationWhitelistPlugin.m
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- */
-
-#import "CDVNavigationWhitelistPlugin.h"
-#import <Cordova/CDVViewController.h>
-
-#pragma mark CDVNavigationWhitelistConfigParser
-
-@interface CDVNavigationWhitelistConfigParser : NSObject <NSXMLParserDelegate> {}
-
-@property (nonatomic, strong) NSMutableArray* whitelistHosts;
-
-@end
-
-@implementation CDVNavigationWhitelistConfigParser
-
-@synthesize whitelistHosts;
-
-- (id)init
-{
- self = [super init];
- if (self != nil) {
- self.whitelistHosts = [[NSMutableArray alloc] initWithCapacity:30];
- [self.whitelistHosts addObject:@"file:///*"];
- [self.whitelistHosts addObject:@"content:///*"];
- [self.whitelistHosts addObject:@"data:///*"];
- }
- return self;
-}
-
-- (void)parser:(NSXMLParser*)parser didStartElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName attributes:(NSDictionary*)attributeDict
-{
- if ([elementName isEqualToString:@"allow-navigation"]) {
- [whitelistHosts addObject:attributeDict[@"href"]];
- }
-}
-
-- (void)parser:(NSXMLParser*)parser didEndElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName
-{
-}
-
-- (void)parser:(NSXMLParser*)parser parseErrorOccurred:(NSError*)parseError
-{
- NSAssert(NO, @"config.xml parse error line %ld col %ld", (long)[parser lineNumber], (long)[parser columnNumber]);
-}
-
-
-@end
-
-#pragma mark CDVNavigationWhitelistPlugin
-
-@interface CDVNavigationWhitelistPlugin () {}
-@property (nonatomic, strong) CDVWhitelist* whitelist;
-@end
-
-@implementation CDVNavigationWhitelistPlugin
-
-@synthesize whitelist;
-
-- (void)setViewController:(UIViewController *)viewController
-{
- if ([viewController isKindOfClass:[CDVViewController class]]) {
- CDVWhitelistConfigParser *whitelistConfigParser = [[CDVWhitelistConfigParser alloc] init];
- [(CDVViewController *)viewController parseSettingsWithParser:whitelistConfigParser];
- self.whitelist = [[CDVWhitelist alloc] initWithArray:whitelistConfigParser.whitelistHosts];
- }
-}
-
-- (BOOL)shouldAllowNavigationToURL:(NSURL *)url
-{
- return [self.whitelist URLIsAllowed:url];
-}
-@end
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/url-policy/url-policy.js
----------------------------------------------------------------------
diff --git a/url-policy/url-policy.js b/url-policy/url-policy.js
deleted file mode 100644
index d2c5ff5..0000000
--- a/url-policy/url-policy.js
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
-*/
-
-if (!document.querySelector('meta[http-equiv=Content-Security-Policy]')) {
- var msg = 'No Content-Security-Policy meta tag found. Please add one when using the cordova-plugin-url-policy plugin.';
- console.error(msg);
- setInterval(function() {
- console.warn(msg);
- }, 10000);
-}
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/README.md
----------------------------------------------------------------------
diff --git a/whitelist/README.md b/whitelist/README.md
new file mode 100644
index 0000000..ab33020
--- /dev/null
+++ b/whitelist/README.md
@@ -0,0 +1,110 @@
+# cordova-plugin-whitelist
+
+This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0
+
+## Supported Cordova Platforms
+
+* Android 4.0.0 or above
+
+## Navigation Whitelist
+Controls which URLs the WebView itself can be navigated to. Applies to
+top-level navigations only.
+
+Quirks: on Android it also applies to iframes for non-http(s) schemes.
+
+By default, navigations only to `file://` URLs, are allowed. To allow other
+other URLs, you must add `<allow-navigation>` tags to your `config.xml`:
+
+ <!-- Allow links to example.com -->
+ <allow-navigation href="http://example.com/*" />
+
+ <!-- Wildcards are allowed for the protocol, as a prefix
+ to the host, or as a suffix to the path -->
+ <allow-havigation href="*://*.example.com/*" />
+
+ <!-- A wildcard can be used to whitelist the entire network,
+ over HTTP and HTTPS.
+ *NOT RECOMMENDED* -->
+ <allow-navigation href="*" />
+
+ <!-- The above is equivalent to these three declarations -->
+ <allow-navigation href="http://*/*" />
+ <allow-navigation href="https://*/*" />
+ <allow-navigation href="data:*" />
+
+## Intent Whitelist
+Controls which URLs the app is allowed to ask the system to open.
+By default, no external URLs are allowed.
+
+On Android, this equates to sending an intent of type BROWSEABLE.
+
+This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`.
+
+In `config.xml`, add `<allow-intent>` tags, like this:
+
+ <!-- Allow links to example.com to open in a browser -->
+ <allow-intent href="http://example.com/*" />
+
+ <!-- Wildcards are allowed for the protocol, as a prefix
+ to the host, or as a suffix to the path -->
+ <allow-intent href="*://*.example.com/*" />
+
+ <!-- Allow SMS links to open messaging app -->
+ <allow-intent href="sms:*" />
+
+ <!-- Allow tel: links to open the dialer -->
+ <allow-intent href="tel:*" />
+
+ <!-- Allow geo: links to open maps -->
+ <allow-intent href="geo:*" />
+
+ <!-- Allow all unrecognized URLs to open installed apps
+ *NOT RECOMMENDED* -->
+ <allow-intent href="*" />
+
+## Network Request Whitelist
+Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).
+
+Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.
+
+In `config.xml`, add `<access>` tags, like this:
+
+ <!-- Allow images, xhrs, etc. to google.com -->
+ <access origin="http://google.com" />
+ <access origin="https://google.com" />
+
+ <!-- Access to the subdomain maps.google.com -->
+ <access origin="http://maps.google.com" />
+
+ <!-- Access to all the subdomains on google.com -->
+ <access origin="http://*.google.com" />
+
+ <!-- Enable requests to content: URLs -->
+ <access origin="content:///*" />
+
+ <!-- Don't block any requests -->
+ <access origin="*" />
+
+Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default cordova application should include `<access origin="*">` by default.
+
+### Content Security Policy
+Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
+
+On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag on all of your pages.
+
+On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
+
+Here are some example CSP declarations for your `.html` pages:
+
+ <!-- Allow requests to foo.com -->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"/>
+
+ <!-- Enable all requests, inline styles, and eval() -->
+ <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval' "/>
+
+ <!-- Allow XHRs via https only -->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"/>
+
+ <!-- Allow data: URLs within iframes -->
+ <!-- Note: You would also need an <allow-navigation href="data:*" /> in your config.xml -->
+ <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' data:"/>
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/plugin.xml
----------------------------------------------------------------------
diff --git a/whitelist/plugin.xml b/whitelist/plugin.xml
new file mode 100644
index 0000000..889e609
--- /dev/null
+++ b/whitelist/plugin.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<plugin xmlns="http://apache.org/cordova/ns/plugins/1.0"
+xmlns:android="http://schemas.android.com/apk/res/android"
+ id="org.apache.cordova.whitelist"
+ version="0.0.1-dev">
+ <name>Whitelist</name>
+ <description>Cordova Network Whitelist Plugin</description>
+ <license>Apache 2.0</license>
+ <keywords>cordova,whitelist,policy</keywords>
+
+ <engines>
+ <engine name="cordova-android" version=">=4.0.0-dev" />
+ </engines>
+
+ <platform name="android">
+ <config-file target="res/xml/config.xml" parent="/*">
+ <feature name="Whitelist" >
+ <param name="android-package" value="org.apache.cordova.whitelist.WhitelistPlugin"/>
+ <param name="onload" value="true" />
+ </feature>
+ </config-file>
+
+ <source-file src="src/android/WhitelistPlugin.java" target-dir="src/org/apache/cordova/whitelist" />
+
+ <js-module src="whitelist.js" name="whitelist">
+ <runs />
+ </js-module>
+ </platform>
+</plugin>
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/src/android/WhitelistPlugin.java
----------------------------------------------------------------------
diff --git a/whitelist/src/android/WhitelistPlugin.java b/whitelist/src/android/WhitelistPlugin.java
new file mode 100644
index 0000000..7b8c856
--- /dev/null
+++ b/whitelist/src/android/WhitelistPlugin.java
@@ -0,0 +1,159 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+*/
+
+package org.apache.cordova.whitelist;
+
+import org.apache.cordova.CordovaPlugin;
+import org.apache.cordova.ConfigXmlParser;
+import org.apache.cordova.Whitelist;
+
+import android.content.Context;
+import android.content.res.XmlResourceParser;
+import android.util.Log;
+
+public class WhitelistPlugin extends CordovaPlugin {
+ private static final String LOG_TAG = "WhitelistPlugin";
+ private Whitelist allowedNavigations;
+ private Whitelist allowedIntents;
+ private Whitelist allowedRequests;
+
+ // Used when instantiated via reflection by PluginManager
+ public WhitelistPlugin() {
+ }
+ // These can be used by embedders to allow Java-configuration of whitelists.
+ public WhitelistPlugin(Context context) {
+ this(new Whitelist(), new Whitelist(), null);
+ new CustomConfigXmlParser().parse(context);
+ }
+ public WhitelistPlugin(XmlResourceParser xmlResourceParser) {
+ this(new Whitelist(), new Whitelist(), null);
+ new CustomConfigXmlParser().parse(xmlResourceParser);
+ }
+ public WhitelistPlugin(Whitelist allowedNavigations, Whitelist allowedIntents, Whitelist allowedRequests) {
+ if (allowedRequests == null) {
+ allowedRequests = new Whitelist();
+ allowedRequests.addWhiteListEntry("file:///*", false);
+ allowedRequests.addWhiteListEntry("data:*", false);
+ }
+ this.allowedNavigations = allowedNavigations;
+ this.allowedIntents = allowedIntents;
+ this.allowedRequests = allowedRequests;
+ }
+ @Override
+ public void pluginInitialize() {
+ if (allowedNavigations == null) {
+ allowedNavigations = new Whitelist();
+ allowedIntents = new Whitelist();
+ allowedRequests = new Whitelist();
+ new CustomConfigXmlParser().parse(webView.getContext());
+ }
+ }
+
+ private class CustomConfigXmlParser extends ConfigXmlParser {
+ public void handleStartTag(XmlResourceParser xml) {
+ String strNode = xml.getName();
+ if (strNode.equals("content")) {
+ String startPage = xml.getAttributeValue(null, "src");
+ allowedNavigations.addWhiteListEntry(startPage, false);
+ } else if (strNode.equals("allow-navigation")) {
+ String origin = xml.getAttributeValue(null, "href");
+ if ("*".equals(origin)) {
+ allowedNavigations.addWhiteListEntry("http://*/*", false);
+ allowedNavigations.addWhiteListEntry("https://*/*", false);
+ allowedNavigations.addWhiteListEntry("data:*", false);
+ } else {
+ allowedNavigations.addWhiteListEntry(origin, false);
+ }
+ } else if (strNode.equals("allow-intent")) {
+ String origin = xml.getAttributeValue(null, "href");
+ allowedIntents.addWhiteListEntry(origin, false);
+ } else if (strNode.equals("access")) {
+ String origin = xml.getAttributeValue(null, "origin");
+ String subdomains = xml.getAttributeValue(null, "subdomains");
+ boolean external = (xml.getAttributeValue(null, "launch-external") != null);
+ if (origin != null) {
+ if (external) {
+ Log.w(LOG_TAG, "Found <access launch-external> within config.xml. Please use <allow-intent> instead.");
+ allowedIntents.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+ } else {
+ if ("*".equals(origin)) {
+ allowedRequests.addWhiteListEntry("http://*/*", false);
+ allowedRequests.addWhiteListEntry("https://*/*", false);
+ } else {
+ allowedRequests.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0));
+ }
+ }
+ }
+ }
+ }
+ public void handleEndTag(XmlResourceParser xml) {
+ }
+ }
+
+ @Override
+ public Boolean shouldAllowNavigation(String url) {
+ if (allowedNavigations.isUrlWhiteListed(url)) {
+ return true;
+ }
+ return null; // Default policy
+ }
+
+ @Override
+ public Boolean shouldAllowRequest(String url) {
+ if (Boolean.TRUE == shouldAllowNavigation(url)) {
+ return true;
+ }
+ if (allowedRequests.isUrlWhiteListed(url)) {
+ return true;
+ }
+ return null; // Default policy
+ }
+
+ @Override
+ public Boolean shouldOpenExternalUrl(String url) {
+ if (allowedIntents.isUrlWhiteListed(url)) {
+ return true;
+ }
+ return null; // Default policy
+ }
+
+ public Whitelist getAllowedNavigations() {
+ return allowedNavigations;
+ }
+
+ public void setAllowedNavigations(Whitelist allowedNavigations) {
+ this.allowedNavigations = allowedNavigations;
+ }
+
+ public Whitelist getAllowedIntents() {
+ return allowedIntents;
+ }
+
+ public void setAllowedIntents(Whitelist allowedIntents) {
+ this.allowedIntents = allowedIntents;
+ }
+
+ public Whitelist getAllowedRequests() {
+ return allowedRequests;
+ }
+
+ public void setAllowedRequests(Whitelist allowedRequests) {
+ this.allowedRequests = allowedRequests;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/src/ios/CDVNavigationWhitelistPlugin.h
----------------------------------------------------------------------
diff --git a/whitelist/src/ios/CDVNavigationWhitelistPlugin.h b/whitelist/src/ios/CDVNavigationWhitelistPlugin.h
new file mode 100644
index 0000000..d0b9365
--- /dev/null
+++ b/whitelist/src/ios/CDVNavigationWhitelistPlugin.h
@@ -0,0 +1,31 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ */
+
+#import <UIKit/UIKit.h>
+#import <Cordova/CDVPlugin.h>
+#import <Cordova/CDVWhitelist.h>
+
+@interface CDVNavigationWhitelistPlugin : CDVPlugin {}
+
+@property (nonatomic, readonly, strong) CDVWhitelist* whitelist; // readonly for public
+
+- (BOOL)shouldAllowNavigationToURL:(NSURL *)url;
+- (BOOL)shouldAllowRequestForURL:(NSURL *)url;
+
+@end
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/src/ios/CDVNavigationWhitelistPlugin.m
----------------------------------------------------------------------
diff --git a/whitelist/src/ios/CDVNavigationWhitelistPlugin.m b/whitelist/src/ios/CDVNavigationWhitelistPlugin.m
new file mode 100644
index 0000000..5895e89
--- /dev/null
+++ b/whitelist/src/ios/CDVNavigationWhitelistPlugin.m
@@ -0,0 +1,89 @@
+/*
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+ */
+
+#import "CDVNavigationWhitelistPlugin.h"
+#import <Cordova/CDVViewController.h>
+
+#pragma mark CDVNavigationWhitelistConfigParser
+
+@interface CDVNavigationWhitelistConfigParser : NSObject <NSXMLParserDelegate> {}
+
+@property (nonatomic, strong) NSMutableArray* whitelistHosts;
+
+@end
+
+@implementation CDVNavigationWhitelistConfigParser
+
+@synthesize whitelistHosts;
+
+- (id)init
+{
+ self = [super init];
+ if (self != nil) {
+ self.whitelistHosts = [[NSMutableArray alloc] initWithCapacity:30];
+ [self.whitelistHosts addObject:@"file:///*"];
+ [self.whitelistHosts addObject:@"content:///*"];
+ [self.whitelistHosts addObject:@"data:///*"];
+ }
+ return self;
+}
+
+- (void)parser:(NSXMLParser*)parser didStartElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName attributes:(NSDictionary*)attributeDict
+{
+ if ([elementName isEqualToString:@"allow-navigation"]) {
+ [whitelistHosts addObject:attributeDict[@"href"]];
+ }
+}
+
+- (void)parser:(NSXMLParser*)parser didEndElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName
+{
+}
+
+- (void)parser:(NSXMLParser*)parser parseErrorOccurred:(NSError*)parseError
+{
+ NSAssert(NO, @"config.xml parse error line %ld col %ld", (long)[parser lineNumber], (long)[parser columnNumber]);
+}
+
+
+@end
+
+#pragma mark CDVNavigationWhitelistPlugin
+
+@interface CDVNavigationWhitelistPlugin () {}
+@property (nonatomic, strong) CDVWhitelist* whitelist;
+@end
+
+@implementation CDVNavigationWhitelistPlugin
+
+@synthesize whitelist;
+
+- (void)setViewController:(UIViewController *)viewController
+{
+ if ([viewController isKindOfClass:[CDVViewController class]]) {
+ CDVWhitelistConfigParser *whitelistConfigParser = [[CDVWhitelistConfigParser alloc] init];
+ [(CDVViewController *)viewController parseSettingsWithParser:whitelistConfigParser];
+ self.whitelist = [[CDVWhitelist alloc] initWithArray:whitelistConfigParser.whitelistHosts];
+ }
+}
+
+- (BOOL)shouldAllowNavigationToURL:(NSURL *)url
+{
+ return [self.whitelist URLIsAllowed:url];
+}
+@end
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/10d394d4/whitelist/whitelist.js
----------------------------------------------------------------------
diff --git a/whitelist/whitelist.js b/whitelist/whitelist.js
new file mode 100644
index 0000000..74d7a99
--- /dev/null
+++ b/whitelist/whitelist.js
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+*/
+
+if (!document.querySelector('meta[http-equiv=Content-Security-Policy]')) {
+ var msg = 'No Content-Security-Policy meta tag found. Please add one when using the cordova-plugin-whitelist plugin.';
+ console.error(msg);
+ setInterval(function() {
+ console.warn(msg);
+ }, 10000);
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org
[2/2] cordova-plugins git commit: Add an `` example for
all http(s)
Posted by ag...@apache.org.
Add an `<allow-intent>` example for all http(s)
Project: http://git-wip-us.apache.org/repos/asf/cordova-plugins/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugins/commit/9e0db6c0
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugins/tree/9e0db6c0
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugins/diff/9e0db6c0
Branch: refs/heads/master
Commit: 9e0db6c012b1b44e2fea075f583ff6d35dca04ea
Parents: 10d394d
Author: Andrew Grieve <ag...@chromium.org>
Authored: Thu Mar 5 15:37:10 2015 -0500
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Thu Mar 5 21:18:48 2015 -0500
----------------------------------------------------------------------
whitelist/README.md | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/9e0db6c0/whitelist/README.md
----------------------------------------------------------------------
diff --git a/whitelist/README.md b/whitelist/README.md
index ab33020..1b4fe34 100644
--- a/whitelist/README.md
+++ b/whitelist/README.md
@@ -42,6 +42,10 @@ This whitelist does not apply to plugins, only hyperlinks and calls to `window.o
In `config.xml`, add `<allow-intent>` tags, like this:
+ <!-- Allow links to web pages to open in a browser -->
+ <allow-intent href="http://*/*" />
+ <allow-intent href="https://*/*" />
+
<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org