You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by mm...@apache.org on 2015/03/04 18:25:27 UTC
cordova-plugins git commit: Update whitelist plugin readme
Repository: cordova-plugins
Updated Branches:
refs/heads/master e960919bc -> 03de74861
Update whitelist plugin readme
Project: http://git-wip-us.apache.org/repos/asf/cordova-plugins/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugins/commit/03de7486
Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugins/tree/03de7486
Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugins/diff/03de7486
Branch: refs/heads/master
Commit: 03de74861052bafb59634674a7c88e29ad532ed6
Parents: e960919
Author: Michal Mocny <mm...@gmail.com>
Authored: Wed Mar 4 12:25:19 2015 -0500
Committer: Michal Mocny <mm...@gmail.com>
Committed: Wed Mar 4 12:25:19 2015 -0500
----------------------------------------------------------------------
url-policy/README.md | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-plugins/blob/03de7486/url-policy/README.md
----------------------------------------------------------------------
diff --git a/url-policy/README.md b/url-policy/README.md
index 5856a15..2a2759b 100644
--- a/url-policy/README.md
+++ b/url-policy/README.md
@@ -63,11 +63,9 @@ In `config.xml`, add `<allow-intent>` tags, like this:
<allow-intent href="*" />
## Network Request Whitelist
-Controls which network requests (images, XHRs, etc) are allowed to be made.
+Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).
-Note: Please use a Content Security Policy (see below) instead (or also), since it is more secure. This whitelist is mostly historical for webviews which do not support CSP.
-
-By default, only requests to `file://` URLs are allowed.
+Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.
In `config.xml`, add `<access>` tags, like this:
@@ -87,13 +85,14 @@ In `config.xml`, add `<access>` tags, like this:
<!-- Don't block any requests -->
<access origin="*" />
+Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default cordova application should include `<access origin="*">` by default.
+
### Content Security Policy
-On Android and iOS, the network whitelist is not able to filter all types of requests (e.g.
-`<video>` & WebSockets are not blocked). So, in addition to the whitelist,
-you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag
-on all of your pages.
+Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
+
+On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag on all of your pages.
-On Android, support for CSP within the system webview starts with KitKat.
+On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
Here are some example CSP declarations for your `.html` pages:
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org