You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by mw...@apache.org on 2013/10/21 23:38:09 UTC
[1/6] docs commit: [CB-3962] re-pack lines for editing
Updated Branches:
refs/heads/master e7dbe83c0 -> 2393c9390
[CB-3962] re-pack lines for editing
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/0c5a40f6
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/0c5a40f6
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/0c5a40f6
Branch: refs/heads/master
Commit: 0c5a40f62e88b97c6a0231e5f3786a28562a4c5d
Parents: e7dbe83
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 11:55:51 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:22:04 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/0c5a40f6/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index b288561..4a436be 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -29,9 +29,12 @@ its whitelist and declare access to specific network domains and subdomains.
## Specification
-Domain whitelisting lays the groundwork for the [W3C Widget Access][1] specification. In the Widget Access specification, the `<access>` element is used to declare access to specific network resources. Apache Cordova extends this concept to allow whitelisting of individual network resources (URLs). In the future, Apache Cordova will abstract the platform whitelisting implementations. However, for now each platform implements its own resource or domain whitelisting. The differences between platform implementations are described later in this document.
-
-The general format for whitelist entries follows the "[match pattern][11]" specification for Google Chrome Packaged Apps. Resources are specified by URL, but an asterisk (\*) character may be used as a "wildcard" in several places to indicate "any value may go here". Specific examples are shown below.
+Domain whitelisting lays the groundwork for the [W3C Widget Access][1]
+specification. In the Widget Access specification, the `<access>`
+element is used to declare access to specific network domains. In the
+future, Apache Cordova will abstract the platform whitelisting
+implementations to the W3C Widget Access specification. However, for
+now each platform must implement its own domain whitelisting.
## Syntax
[6/6] docs commit: [CB-4203] pre-3.0 android whitelisting n/a for
images/scripts
Posted by mw...@apache.org.
[CB-4203] pre-3.0 android whitelisting n/a for images/scripts
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/4fa156e2
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/4fa156e2
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/4fa156e2
Branch: refs/heads/master
Commit: 4fa156e262caf081ab0a53749aaf3e67f7eaa870
Parents: e3326b4
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 13:42:22 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:38:00 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/4fa156e2/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index 09b5506..6760d96 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -64,6 +64,9 @@ The following examples demonstrate whitelist syntax:
Platform-soecific whitelisting rules are found in
`res/xml/config.xml`.
+For Android versions prior to 3.0, domain whitelisting only works for
+`href` hyperlinks, not embedded resources such as images and scripts.
+
## iOS Whitelisting
The platform's whitelisting rules are found in the named application
[4/6] docs commit: [CB-3810] rewrite whitelist guide
Posted by mw...@apache.org.
[CB-3810] rewrite whitelist guide
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/e3326b4b
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/e3326b4b
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/e3326b4b
Branch: refs/heads/master
Commit: e3326b4b9cfe899db771c11f5ae20a94222e0f49
Parents: 0c5a40f
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 12:43:05 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:38:00 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 192 +++++++++-------------
1 file changed, 76 insertions(+), 116 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/e3326b4b/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index 4a436be..09b5506 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -19,113 +19,103 @@ license: Licensed to the Apache Software Foundation (ASF) under one
# Whitelist Guide
-## Overview
+Domain whitelisting is a security model that controls access to
+external domains over which you application has no control. Cordova's
+default security policy allows access to any site. Before moving your
+application to production, you should formulate a whitelist and allow
+access to specific network domains and subdomains.
-Resource whitelisting is a security model that controls access to
-external network resources, such as `http://google.com`. Apache Cordova's
-default security policy allows access to any resource on any site on the
-Internet. Before moving your application to production, you should review
-its whitelist and declare access to specific network domains and subdomains.
+Cordova adheres to the [W3C Widget Access][1] specification, which
+relies on the `<access>` element within the app's `config.xml` file to
+enable network access to specific domains. For projects that rely on
+the CLI workflow described in The Command-line Interface, this file is
+located in the project's top-level `www` directory. Otherwise for
+platform-specific development paths, locations are listed in the
+sections below.
-## Specification
+The following examples demonstrate whitelist syntax:
-Domain whitelisting lays the groundwork for the [W3C Widget Access][1]
-specification. In the Widget Access specification, the `<access>`
-element is used to declare access to specific network domains. In the
-future, Apache Cordova will abstract the platform whitelisting
-implementations to the W3C Widget Access specification. However, for
-now each platform must implement its own domain whitelisting.
+* Access to [google.com][2]:
-## Syntax
+ <access origin="http://google.com" />
-Access to all resources at [google.com][2]:
+* Access to the secure [google.com][3] (`https://`):
- http://google.com/*
+ <access origin="https://google.com" />
-Access to all resources at the secure [google.com][3] (`https://`):
+* Access to the subdomain [maps.google.com][4]:
- https://google.com/*
+ <access origin="http://maps.google.com" />
-Access to the specific subdomain [maps.google.com][5]:
+* Access to all the subdomains on [google.com][2], for example
+ [mail.google.com][5] and [docs.google.com][6]:
- http://maps.google.com/*
+ <access origin="http://*.google.com" />
-Access to all the subdomains on [google.com][2] (e.g., [mail.google.com][6] and [docs.google.com][7]):
+* Access to _all_ domains, for example, [google.com][2] and
+ [developer.mozilla.org][7]:
- http://*.google.com/*
+ <access origin="*" />
-Access to all resources on [www.google.com][4] under the "/mobile" path:
+ This is the default value for newly created CLI projects.
- http://www.google.com/mobile/*
+## Android Whitelisting
-Access to [google.com][2] on any protocol (e.g., HTTP, HTTPS, FTP, etc):
+Platform-soecific whitelisting rules are found in
+`res/xml/config.xml`.
- *://google.com/*
+## iOS Whitelisting
-Access to all resouces on the Internet (e.g., [google.com][2] and [developer.mozilla.org][8]):
+The platform's whitelisting rules are found in the named application
+directory's `config.xml` file.
- *
+Origins specified without a protocol, such as `www.apache.org` rather
+than `http://www.apache.org`, default to all of the `http`, `https`,
+`ftp`, and `ftps` schemes.
-## Android
+Wildcards on the iOS platform are more flexible than in the [W3C
+Widget Access][1] specification.
-### Details
+The following accesses all subdomains and top-level domains such as
+`.com` and `.net`:
-The whitelisting rules are found in `res/xml/config.xml` and declared
-with the element `<access origin="..." />`.
+ <access origin="*.google.*" />
-Android fully supports whitelisting syntax.
+## BlackBerry 10 Whitelisting
-### Syntax
+The whitelisting rules are found in `www/config.xml`.
-Access to [google.com][2]:
+BlackBerry 10's use of wildcards differs from other platforms in two
+ways:
- <access origin="http://google.com/*" />
-
-## BlackBerry 10
-
-### Details
-
-The whitelisting rules are found in `www/config.xml` and declared with
-the element `<access origin="..." />`.
-
-BlackBerry 10 handles wildcards differently than other platforms in two ways:
-
-1) Content accessed by XMLHttpRequest must be declared explicity. origin="\*" will
- not be respected for this use case. Alternatively, all web security may be
- disabled using a preference.
+* Any content accessed by `XMLHttpRequest` must be declared
+ explicity. Setting `origin="*"` does not work in this case.
+ Alternatively, all web security may be disabled using the
+ `WebSecurity` preference described in BlackBerry Configuration:
-2) subdomains="true" may be used in place of "\*.domain"
-
-### Syntax
-
-Access to [google.com][2]:
-
- <access origin="http://google.com" subdomains="false" />
+ <preference name="websecurity" value="disable" />
-Access to [maps.google.com][5]:
+* As an alternative to setting `*.domain`, set an additional
+ `subdomains` attribute to `true`. It should be set to `false` by
+ default. For example, the following allows access to `google.com`,
+ `maps.google.com`, and `docs.google.com`:
- <access origin="http://maps.google.com" subdomains="false" />
+ <access origin="http://google.com" subdomains="true" />
-Access to all the subdomains on [google.com][2]:
+ The following narrows access to `google.com`:
- <access origin="http://google.com" subdomains="true" />
+ <access origin="http://google.com" subdomains="false" />
-Access to all domains, including `file://` protocol:
+ Specify access to all domains, including the local `file://`
+ protocol:
<access origin="*" subdomains="true" />
-Disable all web security:
-
- <preference name="websecurity" value="disable" />
+(For more information on support, see BlackBerry's documentation on the
+[access element][8].)
## iOS
-### Details
-
-The whitelisting rules are found in `AppName/config.xml` and declared with the element `<access origin="..." />`.
-
-iOS fully supports whitelisting syntax.
-
### Changed in 3.1.0:
Prior to version 3.1.0, Cordova-iOS included some non-standard extensions to the domain whilelisting scheme supported by other Cordova platforms. As of 3.1.0, the iOS whitelist now conforms to the resource whitelist syntax described at the top of this document. If you upgrade from pre-3.1.0, and you were using these extensions, you may have to change your `config.xml` file in order to continue whitelisting the same set of resources as before.
@@ -138,56 +128,26 @@ Specifically, these patterns need to be updated:
* "`h*t*://ap*he.o*g`" (wildcards for random missing letters): These are no longer supported; change to include a line for each domain and protocol that you actually need to whitelist.
-### Syntax
-
-Access to [google.com][2]:
-
- <access origin="http://google.com/*" />
-
-## Windows Phone (7 & 8)
+## Windows Phone Whitelisting
-The whitelisting rules are found in `config.xml` and declared with the element `<access origin="..." />`.
+The whitelisting rules for Windows Phone 7 and 8 are found in the
+app's `config.xml` file.
-### Syntax
+## Tizen Whitelisting
-Access to [google.com][2]:
-
- <access origin="http://google.com" />
-
-## Tizen
-
-### Details
-
-The application root directory's `config.xml` file specifies domain
-whitelisting rules, using the `<access origin="..." />` element.
-For a complete reference, see the [Tizen Accessing External Network Resources documentation][10].
-
-### Syntax
-
-Access to [google.com][2]:
-
- <access origin="http://google.com" subdomains="false" />
-
-Access to the secure [google.com][3] (`https://`):
-
- <access origin="https://google.com" subdomains="false" />
-
-Access to all the subdomains on [google.com][2]:
-
- <access origin="http://google.com" subdomains="true" />
-
-Access to all domains, including `file://` protocol:
-
- <access origin="*" subdomains="true" />
+Whitelisting rules are found in the app's `config.xml` file. The
+platform relies on the same `subdomains` attribute as the BlackBerry
+platform.
+(For more information on support, see Tizen's documentation on the
+[access element][9].)
[1]: http://www.w3.org/TR/widgets-access/
[2]: http://google.com
[3]: https://google.com
-[4]: http://www.google.com
-[5]: http://maps.google.com
-[6]: http://mail.google.com
-[7]: http://docs.google.com
-[8]: http://developer.mozilla.org
-[9]: https://developer.blackberry.com/html5/documentation/ww_developing/Access_element_834677_11.html
-[10]: https://developer.tizen.org/help/topic/org.tizen.help.gs/Creating%20a%20Project.html?path=0_1_1_4#8814682_CreatingaProject-AccessingExternalNetworkResources
-[11]: http://developer.chrome.com/apps/match_patterns.html
+[4]: http://maps.google.com
+[5]: http://mail.google.com
+[6]: http://docs.google.com
+[7]: http://developer.mozilla.org
+[8]: https://developer.blackberry.com/html5/documentation/ww_developing/Access_element_834677_11.html
+[9]: https://developer.tizen.org/help/index.jsp?topic=%2Forg.tizen.web.appprogramming%2Fhtml%2Fide_sdk_tools%2Fconfig_editor_w3celements.htm
+
[5/6] docs commit: [CB-3810] xref other platform-specific content
Posted by mw...@apache.org.
[CB-3810] xref other platform-specific content
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/0d31cb71
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/0d31cb71
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/0d31cb71
Branch: refs/heads/master
Commit: 0d31cb71d97d4063f9eaaabab7b6c66b480ffbea
Parents: 824a789
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 14:19:46 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:38:00 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/0d31cb71/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index ba65234..9d1e2e3 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -31,7 +31,8 @@ enable network access to specific domains. For projects that rely on
the CLI workflow described in The Command-line Interface, this file is
located in the project's top-level `www` directory. Otherwise for
platform-specific development paths, locations are listed in the
-sections below.
+sections below. (See the various Platform Guides for more information
+on each platform.)
The following examples demonstrate whitelist syntax:
[3/6] docs commit: [CB-4203] need to avoid script injection
Posted by mw...@apache.org.
[CB-4203] need to avoid script injection
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/824a7899
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/824a7899
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/824a7899
Branch: refs/heads/master
Commit: 824a789934a0c2780d04bbd5289bc6f914ab6197
Parents: 4fa156e
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 14:16:29 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:38:00 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/824a7899/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index 6760d96..ba65234 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -64,8 +64,10 @@ The following examples demonstrate whitelist syntax:
Platform-soecific whitelisting rules are found in
`res/xml/config.xml`.
-For Android versions prior to 3.0, domain whitelisting only works for
-`href` hyperlinks, not embedded resources such as images and scripts.
+__NOTE:__ On Android 2.3 and before, domain whitelisting only works
+for `href` hyperlinks, not referenced resources such as images and
+scripts. Take steps to avoid scripts from being injected into the
+application.
## iOS Whitelisting
[2/6] docs commit: [CB-2099] non-whitelist links may open in browser
Posted by mw...@apache.org.
[CB-2099] non-whitelist links may open in browser
Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/2393c939
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/2393c939
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/2393c939
Branch: refs/heads/master
Commit: 2393c9390f2c0e7af474c68783e6322c7d74394b
Parents: 0d31cb7
Author: Mike Sierra <ms...@adobe.com>
Authored: Mon Sep 30 15:03:05 2013 -0400
Committer: Michael Brooks <mi...@michaelbrooks.ca>
Committed: Mon Oct 21 14:38:00 2013 -0700
----------------------------------------------------------------------
docs/en/edge/guide/appdev/whitelist/index.md | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/2393c939/docs/en/edge/guide/appdev/whitelist/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/whitelist/index.md b/docs/en/edge/guide/appdev/whitelist/index.md
index 9d1e2e3..30d844e 100644
--- a/docs/en/edge/guide/appdev/whitelist/index.md
+++ b/docs/en/edge/guide/appdev/whitelist/index.md
@@ -62,7 +62,7 @@ The following examples demonstrate whitelist syntax:
## Android Whitelisting
-Platform-soecific whitelisting rules are found in
+Platform-specific whitelisting rules are found in
`res/xml/config.xml`.
__NOTE:__ On Android 2.3 and before, domain whitelisting only works
@@ -70,6 +70,10 @@ for `href` hyperlinks, not referenced resources such as images and
scripts. Take steps to avoid scripts from being injected into the
application.
+Navigating to non-whitelisted domains via `href` hyperlink causes the
+page to open in the default browser rather than within the
+application. (Compare this to iOS's behavior noted below.)
+
## iOS Whitelisting
The platform's whitelisting rules are found in the named application
@@ -80,13 +84,15 @@ than `http://www.apache.org`, default to all of the `http`, `https`,
`ftp`, and `ftps` schemes.
Wildcards on the iOS platform are more flexible than in the [W3C
-Widget Access][1] specification.
-
-The following accesses all subdomains and top-level domains such as
-`.com` and `.net`:
+Widget Access][1] specification. For example, the following accesses
+all subdomains and top-level domains such as `.com` and `.net`:
<access origin="*.google.*" />
+Unlike the Android platform noted above, navigating to non-whitelisted
+domains via `href` hyperlink on iOS prevents the page from opening at
+all.
+
## BlackBerry 10 Whitelisting
The whitelisting rules are found in `www/config.xml`.