Whitelist and the CSP (Content Security Policy) Reference
68 views
Skip to first unread message
Jesse Monroy
Oct 20, 2015, 5:20:02 PM10/20/15
to phonegap
Kerri Shotts
Oct 20, 2015, 5:33:03 PM10/20/15
to phonegap
Not sure I follow?
I wouldn't expect "gap:" to be there, since it's a Cordova/PhoneGap internal URL scheme used on iOS for plugin communication.
Rob Willett
Oct 20, 2015, 6:01:13 PM10/20/15
to phon...@googlegroups.com
@Jesse,
I know that there is no reference to "gap:" in the content security policy :) I've read that web site and loads of others trying to get to the bottom of it. Thats why I was so confused as to its inclusion in the CSP meta tag. Lots of people use it and reference it in blogs but apart from on this forum AND in the whitelist plugin doc, I've not found a single explanation of what it does. Our app needs it to work though.
@Kerri,
If its needed for plugin communication why is it in the CSP metatag and where is the definition of what it does. Surely another key in the config.xml file or something would be a better place.
Rob
--
-- You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
For more info on PhoneGap or to download the code go to www.phonegap.com
---
You received this message because you are subscribed to the Google Groups "phonegap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phonegap+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jesse Monroy
Oct 20, 2015, 9:51:30 PM10/20/15
to phonegap
Hi Kerri,
sorry for the short answer. I'm on the road today.
On white-list, CSP, and the Apple equivalent, I'm daily getting new pieces of information. I'm hoping I have enough so that by Monday of next week, I can have a blog post ready, and perhaps get someone to do follow. Perhaps, Perhaps, Ramon, Holly, Simon, or Chris... maybe even get Phonegap to post it on there blog... we'll see.
In any case, thanks for the watchful eye. Rob is lending a hand.
TIA
Jesse
sorry for the short answer. I'm on the road today.
On white-list, CSP, and the Apple equivalent, I'm daily getting new pieces of information. I'm hoping I have enough so that by Monday of next week, I can have a blog post ready, and perhaps get someone to do follow. Perhaps, Perhaps, Ramon, Holly, Simon, or Chris... maybe even get Phonegap to post it on there blog... we'll see.
In any case, thanks for the watchful eye. Rob is lending a hand.
TIA
Jesse
K.
Jul 21, 2017, 10:50:53 AM7/21/17
to phonegap
Hi Jesse,
Did you ever finish your blog on this topic?
Now 2017 and learning about CSP & mobile app development w/Phonegap Build in general. Blowout intro to mobile dev. I've seen at github (Content Security Policy) that gap: is needed mainly for iOS using UIWebView. I think UIWebView has phased out though, but not sure. I still use it in my config.xml because I really do want my app backwards compatible to iOS 6.1.6, just because -- not wholly sure if doing this correctly. I also have in my config.xml webviewbounce -- both VIEWS though are under preferences. Not sure if I should use both, but seems to work in iPhone 4 & 5 tests; working on 6 and above tests.
So, I am new to this CSP stuff, just stumbled into this apparently major security control yesterday. What I've learned, I need content-security-policy and/or content-security-policy-report-only as a <meta> tag in each HTML page. I am working out the details. So, any assist / revelations would help on this topic.
Perhaps I should have posted afresh but your topic is basically my topic.
And since goal is to Whitelist: I am not sure if I need in config.xml file both allow-intent and access origin="http://...." for my whitelists to lock down to only allow specific links, since I read somewhere that access origin is used by iOS & is part of W3C docs. I also read not to use access origin="*" for release apps.
Side question: I read somewhere that "gap:plugin" is an older method for plugins and to remove, so I've done so except for <gap:plugin name="cordova-plugin-whitelist" source="npm"/> -- but again, I am not sure if I should have kept "gap" tag for icons & splash screens.
Thanks for any assists from you, @Kerri Shotts, @Rob Willett, and/or anyone else in the know.
Did you ever finish your blog on this topic?
Now 2017 and learning about CSP & mobile app development w/Phonegap Build in general. Blowout intro to mobile dev. I've seen at github (Content Security Policy) that gap: is needed mainly for iOS using UIWebView. I think UIWebView has phased out though, but not sure. I still use it in my config.xml because I really do want my app backwards compatible to iOS 6.1.6, just because -- not wholly sure if doing this correctly. I also have in my config.xml webviewbounce -- both VIEWS though are under preferences. Not sure if I should use both, but seems to work in iPhone 4 & 5 tests; working on 6 and above tests.
So, I am new to this CSP stuff, just stumbled into this apparently major security control yesterday. What I've learned, I need content-security-policy and/or content-security-policy-report-only as a <meta> tag in each HTML page. I am working out the details. So, any assist / revelations would help on this topic.
Perhaps I should have posted afresh but your topic is basically my topic.
And since goal is to Whitelist: I am not sure if I need in config.xml file both allow-intent and access origin="http://...." for my whitelists to lock down to only allow specific links, since I read somewhere that access origin is used by iOS & is part of W3C docs. I also read not to use access origin="*" for release apps.
Side question: I read somewhere that "gap:plugin" is an older method for plugins and to remove, so I've done so except for <gap:plugin name="cordova-plugin-whitelist" source="npm"/> -- but again, I am not sure if I should have kept "gap" tag for icons & splash screens.
Thanks for any assists from you, @Kerri Shotts, @Rob Willett, and/or anyone else in the know.
K.
Jul 27, 2017, 3:53:57 AM7/27/17
to phonegap
Some JesseMonroy650 articles, in case anyone else newbie and stumbled here first.
Top Mistakes by Developers new to Cordova/Phonegap
|
| How to Apply the Cordova/Phonegap the
Whitelist System Whitelist Worksheet (Matrix) |
Reply all
Reply to author
Forward
0 new messages