Google Git
Sign in
apache / cordova-plugin-whitelist / 255cac2f5e5fa581ccdd5595832f8b0fa758bf0c^! / .
commit255cac2f5e5fa581ccdd5595832f8b0fa758bf0c[log] [tgz]
authorAndrew Grieve <agrieve@chromium.org>Thu Mar 12 13:44:07 2015 -0400
committerAndrew Grieve <agrieve@chromium.org>Thu Mar 12 13:44:20 2015 -0400
tree0f5ecf02eca36ee5ae0789cc8e817996a0b2ceca
parent49a8b128209908556fc65df573a4c37796c0c8e0 [diff]
Tweak CSP examples in README

diff --git a/README.md b/README.md
index 8256b8a..61949af 100644
--- a/README.md
+++ b/README.md

@@ -103,18 +103,23 @@
 
 Here are some example CSP declarations for your `.html` pages:
 
+    <!-- Good default declaration:
+        * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
+        * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
+        * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
+            * Enable inline JS: add 'unsafe-inline' to default-src
+            * Enable eval(): add 'unsafe-eval' to default-src
+    -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
+
     <!-- Allow requests to foo.com -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
 
     <!-- Enable all requests, inline styles, and eval() -->
-    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval' "/>
-
-    <!-- Allow requests to https://ssl.gstatic.com/accessibility/javascript/android/ (required for TalkBack on Android) -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://ssl.gstatic.com/accessibility/javascript/android/"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'">
 
     <!-- Allow XHRs via https only -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
 
-    <!-- Allow data: URLs within iframes -->
-    <!-- Note: You would also need an <allow-navigation href="data:*" /> in your config.xml -->
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' data:"/>
+    <!-- Allow iframe to https://cordova.apache.org/ -->
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">