diff options
| author | Jules Laplace <jules@okfoc.us> | 2016-11-08 12:37:03 -0500 |
|---|---|---|
| committer | Jules Laplace <jules@okfoc.us> | 2016-11-08 12:37:03 -0500 |
| commit | ef4f212fc1482136dba1e690ec589b315b4a377f (patch) | |
| tree | 0b7e16d72567fafcfd3e08d7c5c591ad07a63458 /StoneIsland/plugins/cordova-plugin-whitelist | |
| parent | 5fa81da81260d65113f57a293b6256d334fe8e2d (diff) | |
build 0.7.0
Diffstat (limited to 'StoneIsland/plugins/cordova-plugin-whitelist')
19 files changed, 1289 insertions, 197 deletions
diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/CONTRIBUTING.md b/StoneIsland/plugins/cordova-plugin-whitelist/CONTRIBUTING.md index e4a178f5..7de4c641 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/CONTRIBUTING.md +++ b/StoneIsland/plugins/cordova-plugin-whitelist/CONTRIBUTING.md @@ -27,7 +27,7 @@ There are multiple ways to contribute: report bugs, improve the docs, and contribute code. For instructions on this, start with the -[contribution overview](http://cordova.apache.org/#contribute). +[contribution overview](http://cordova.apache.org/contribute/). The details are explained there, but the important items are: - Sign and submit an Apache ICLA (Contributor License Agreement). diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/LICENSE b/StoneIsland/plugins/cordova-plugin-whitelist/LICENSE index 7a4a3ea2..7a4a3ea2 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/LICENSE +++ b/StoneIsland/plugins/cordova-plugin-whitelist/LICENSE diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/NOTICE b/StoneIsland/plugins/cordova-plugin-whitelist/NOTICE index 8ec56a52..8ec56a52 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/NOTICE +++ b/StoneIsland/plugins/cordova-plugin-whitelist/NOTICE diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/README.md index def10044..e19d2304 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/README.md +++ b/StoneIsland/plugins/cordova-plugin-whitelist/README.md @@ -1,30 +1,44 @@ -<!--- - license: Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. +--- +title: Whitelist +description: Whitelist external content accessible by your app. +--- +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. --> # cordova-plugin-whitelist This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0 +:warning: Report issues on the [Apache Cordova issue tracker](https://issues.apache.org/jira/issues/?jql=project%20%3D%20CB%20AND%20status%20in%20%28Open%2C%20%22In%20Progress%22%2C%20Reopened%29%20AND%20resolution%20%3D%20Unresolved%20AND%20component%20%3D%20%22Plugin%20Whitelist%22%20ORDER%20BY%20priority%20DESC%2C%20summary%20ASC%2C%20updatedDate%20DESC) + +## Installation + +You can install whitelist plugin with Cordova CLI, from npm: + +``` +$ cordova plugin add cordova-plugin-whitelist +$ cordova prepare +``` + ## Supported Cordova Platforms * Android 4.0.0 or above -* iOS 4.0.0 or above ## Navigation Whitelist Controls which URLs the WebView itself can be navigated to. Applies to @@ -32,15 +46,14 @@ top-level navigations only. Quirks: on Android it also applies to iframes for non-http(s) schemes. -By default, navigations only to `file://` URLs, are allowed. To allow other -other URLs, you must add `<allow-navigation>` tags to your `config.xml`: +By default, navigations only to `file://` URLs, are allowed. To allow others URLs, you must add `<allow-navigation>` tags to your `config.xml`: <!-- Allow links to example.com --> <allow-navigation href="http://example.com/*" /> <!-- Wildcards are allowed for the protocol, as a prefix to the host, or as a suffix to the path --> - <allow-havigation href="*://*.example.com/*" /> + <allow-navigation href="*://*.example.com/*" /> <!-- A wildcard can be used to whitelist the entire network, over HTTP and HTTPS. @@ -111,6 +124,9 @@ In `config.xml`, add `<access>` tags, like this: Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `<access origin="*">` by default. + +Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP. + Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly. ### Content Security Policy @@ -131,13 +147,16 @@ Here are some example CSP declarations for your `.html` pages: --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> - <!-- Allow requests to foo.com --> + <!-- Allow everything but only from the same origin and foo.com --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> - <!-- Enable all requests, inline styles, and eval() --> - <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'"> + <!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that + * CSS only from the same origin and inline styles, + * scripts only from the same origin and inline styles, and eval() + --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> - <!-- Allow XHRs via https only --> + <!-- Allows XHRs only over HTTPS on the same domain. --> <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> <!-- Allow iframe to https://cordova.apache.org/ --> diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/RELEASENOTES.md b/StoneIsland/plugins/cordova-plugin-whitelist/RELEASENOTES.md index 703552ca..9e271c09 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/RELEASENOTES.md +++ b/StoneIsland/plugins/cordova-plugin-whitelist/RELEASENOTES.md @@ -20,9 +20,44 @@ --> # Release Notes +### 1.3.0 (Sep 08, 2016) +* [CB-11795](https://issues.apache.org/jira/browse/CB-11795) Add 'protective' entry to cordovaDependencies +* Updated installation section +* Plugin uses `Android Log class` and not `Cordova LOG class` +* Add pull request template. +* [CB-10866](https://issues.apache.org/jira/browse/CB-10866) Adding engine info to `package.json` +* [CB-10996](https://issues.apache.org/jira/browse/CB-10996) Adding front matter to README.md + +### 1.2.2 (Apr 15, 2016) +* add note about redirects +* [CB-10624](https://issues.apache.org/jira/browse/CB-10624) remove error message from `whitelist.js`, which leaves it empty + +### 1.2.1 (Jan 15, 2016) +* [CB-10194](https://issues.apache.org/jira/browse/CB-10194) info tag prints for ios when not applicable + +### 1.2.0 (Nov 18, 2015) +* removed **iOS** engine check from `plugin.xml` +* [CB-10035](https://issues.apache.org/jira/browse/CB-10035) Updated `RELEASENOTES` to be newest to oldest +* [CB-9972](https://issues.apache.org/jira/browse/CB-9972) - Remove **iOS** whitelist +* Updated the text, it should read 4.0.x and greater, since this plugin will be required for `cordova-android 5.0` +* Fixing contribute link. +* Updated `plugin.xml <info>` tag to remove warning about not needing this plugin if you are using the **iOS 9 SDK** +* [CB-9738](https://issues.apache.org/jira/browse/CB-9738) - Disable whitelist use when runtime environment is **iOS 9** +* [CB-9740](https://issues.apache.org/jira/browse/CB-9740) - Add `<info>` tag describing whitelist plugin not needed on `cordova-ios` and cordova-android 3.x` +* [CB-9568](https://issues.apache.org/jira/browse/CB-9568) - Update whitelist plugin to allow all network access by default +* [CB-9337](https://issues.apache.org/jira/browse/CB-9337) - enable use of `<access>` tags for native code network requests + +### 1.1.0 (Jun 17, 2015) +* [CB-9128](https://issues.apache.org/jira/browse/CB-9128) cordova-plugin-whitelist documentation translation: cordova-plugin-whitelist +* fix npm md issue +* Usage of CDVURLRequestFilter protocol. +* [CB-9089](https://issues.apache.org/jira/browse/CB-9089) - iOS whitelist plugin does not compile +* [CB-9090](https://issues.apache.org/jira/browse/CB-9090) - Enable whitelist plugin for cordova-ios 4.0.0 +* Fixed error in Content-Security-Policy example + ### 1.0.0 (Mar 25, 2015) -* CB-8739 added missing license headers +* [CB-8739](https://issues.apache.org/jira/browse/CB-8739) added missing license headers * Add @Override to CustomConfigXmlParser methods * Change ID to cordova-plugin-whitelist rather than reverse-DNS-style * Tweak CSP examples in README -* CB-8660 remove extra commas from package.json +* [CB-8660](https://issues.apache.org/jira/browse/CB-8660) remove extra commas from package.json diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/de/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/de/README.md new file mode 100644 index 00000000..e97eaa63 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/de/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Dieses Plugin implementiert eine Whitelist-Politik für die Navigation in der Anwendung Webview Cordova 4.0 + +## Cordova unterstützte Plattformen + + * Android 4.0.0 oder höher + * iOS 4.0.0 oder höher + +## Navigation-Whitelist + +Steuert, welche URLs die WebView selbst zu navigiert werden kann. Bezieht sich auf der obersten Ebene Navigationen nur. + +Macken: auf Android es gilt auch für Iframes für nicht-http(s) Systeme. + +In der Standardeinstellung Navigationen nur auf `file://` URLs, sind zulässig. Wenn andere andere URLs zulassen möchten, müssen Sie Ihre `"config.xml"` `<allow-navigation>` Markierungen hinzufügen: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## Vorsatz-Whitelist + +Steuert, welche URLs die app zulässig ist, um das System zu öffnen Fragen. Standardmäßig dürfen keine externe URLs. + +Das entspricht auf Android eine Absicht des Typs BROWSEABLE senden. + +Diese Whitelist gilt nicht für Plugins, nur Hyperlinks und Aufrufe von `window.open()`. + +Fügen Sie in `"config.xml"` `<allow-intent>` Tags hinzu, wie folgt: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Netzwerk-Anforderung-Whitelist + +Steuert, welche-Anforderungen Netzwerk (Bilder, XHRs, etc.) dürfen (über Cordova native Haken) erfolgen. + +Hinweis: Wir empfehlen Ihnen eine Content Security Policy (siehe unten), das ist sicherer. Diese Whitelist ist vor allem historisch für Webansichten für die CSP nicht unterstützen. + +Fügen Sie in `"config.xml"` `<access>` Tags hinzu, wie folgt: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Ohne `<access>` -Tags dürfen nur Anforderungen an `file://` URLs. Enthält jedoch die Standardanwendung Cordova `<access origin="*">` standardmäßig. + +Eigenart: Android kann auch Anforderungen an https://ssl.gstatic.com/accessibility/javascript/android/ standardmäßig, da dies für TalkBack ordnungsgemäß erforderlich ist. + +### Content-Security-Policy + +Steuert, welche-Anforderungen Netzwerk (Bilder, XHRs, etc.) dürfen (über Webview direkt) erfolgen. + +Auf Android und iOS ist die Netzwerk Anfrage Whitelist (s.o.) nicht in der Lage, alle Arten von Anfragen (z.B. `< video >` & WebSockets nicht blockiert) filtern. Also, sollten Sie neben der Whitelist, [Content Security Policy](http://content-security-policy.com/) `< Meta >` -Tags auf allen Ihren Seiten verwenden. + +Auf Android Unterstützung für CSP innerhalb der System-Webview beginnt mit KitKat (aber ist in allen Versionen mit Crosswalk WebView verfügbar). + +Hier sind einige Beispiel-CSP-Deklarationen für Ihre `HTML` -Seiten: + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/es/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/es/README.md new file mode 100644 index 00000000..b3e46849 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/es/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Este plugin implementa una política de lista blanca para navegar la aplicación webview en Cordova 4.0 + +## Plataformas soportadas Cordova + + * Android 4.0 o superior + * iOS 4.0.0 o superior + +## Lista blanca de navegación + +Controla que las URLs del WebView se puede navegar a. Se aplica a nivel superior navegaciones solo. + +Peculiaridades: en Android también se aplica a iframes para esquemas que son de http (s). + +Por defecto, navegaciones solo a direcciones URL `file://` , son permitidas. Para permitir que otros otras URL, debe agregar `< allow-navegación >` etiquetas en el `archivo config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## Intención de lista blanca + +Controla qué URLs de la aplicación se permite hacer el sistema para abrir. De forma predeterminada, se permiten ninguÌ n external URLs. + +En Android, esto equivale a enviar una intención de tipo BROWSEABLE. + +Esta lista blanca no se aplica a plugins, sólo los hipervínculos y las llamadas a `window.Open)`. + +En `config.xml`, agregar etiquetas `< allow-intent >` , como este: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Solicitud de red blanca + +Controles que las peticiones de la red (imágenes, XHRs, etc.) se les permite hacer (a través de ganchos nativa de Córdoba). + +Nota: Le sugerimos que utilice una política de seguridad de contenido (véase abajo), que es más seguro. Esta lista blanca es sobre todo histórico para webviews que no admiten la CSP. + +En `config.xml`, agregue etiquetas de `< access >` , como este: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Sin las etiquetas `< access >` , se admiten sólo las solicitudes a direcciones URL `file://` . Sin embargo, la aplicación por defecto de Cordova incluye `< access origin = "*" >` por defecto. + +Quirk: Android también permite las solicitudes de https://ssl.gstatic.com/accessibility/javascript/android/ por defecto, puesto que es necesario para TalkBack funcionar correctamente. + +### Política de seguridad de contenido + +Controles que las peticiones de la red (imágenes, XHRs, etc.) se les permite hacer (vía webview directamente). + +En iOS y Android, la red solicitud lista blanca (véase arriba) no es capaz de filtrar todos los tipos de solicitudes (por ejemplo, `< video >` y WebSockets no estén bloqueadas). Así, además de la lista blanca, usted debe utilizar una etiqueta `< meta >` de [Contenido la política de seguridad](http://content-security-policy.com/) en todas las páginas. + +En Android, soporte para CSP en el sistema webview comienza con KitKat (pero está disponible en todas las versiones con WebView de paso de peatones). + +Aquí están algunas declaraciones de CSP de ejemplo para las páginas `.html` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/fr/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/fr/README.md new file mode 100644 index 00000000..2a8c4b73 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/fr/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Ce plugin met en œuvre une politique de liste blanche pour naviguer le webview application sur Cordova 4.0 + +## Plates-formes prises en charge Cordova + + * 4.0.0 Android ou supérieur + * iOS 4.0.0 ou supérieur + +## Navigation liste blanche + +Contrôle quels URL le WebView lui-même peut être parcourus à. S'applique à des navigations niveau supérieur seulement. + +Particularités : sur Android il s'applique également aux iframes pour non-schémas http (s). + +Par défaut, navigations qu'aux URL `file://` , sont autorisés. Pour permettre aux autres d'autres URL, vous devez ajouter des balises `<allow-navigation>` à votre `fichier config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## Intent Whitelist + +Contrôle quels URL l'app n'est autorisé à poser le système d'ouverture. Par défaut, aucun external URL est autorisés. + +Sur Android, cela équivaut à envoyer une intention de type BROWSEABLE. + +Cette autorisation ne s'applique pas aux plugins, uniquement les liens hypertexte et les appels à `window.open()`. + +Dans le `fichier config.xml`, ajouter des balises `<allow-intent>` , comme ceci : + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Réseau demande liste blanche + +Les contrôles dont les demandes de réseau (images, XHRs, etc.) sont autorisés à effectuer (via cordova natif crochets). + +Remarque : Nous vous suggérons de qu'utiliser un contenu politique de sécurité (voir ci-dessous), qui est plus sûr. Cette liste blanche est surtout historique pour webviews qui ne prennent pas en charge les CSP. + +Dans le `fichier config.xml`, ajouter des balises `<access>` , comme ceci : + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Sans les balises `<access>` , seules les demandes d'URL `file://` sont autorisés. Toutefois, l'application de Cordoue par défaut inclut `<access origin="*" >` par défaut. + +Bizarrerie : Android permet également aux requêtes à https://ssl.gstatic.com/accessibility/javascript/android/ par défaut, puisque c'est nécessaire pour TalkBack fonctionner correctement. + +### Politique de sécurité du contenu + +Les contrôles dont les demandes de réseau (images, XHRs, etc.) sont autorisés à effectuer (via webview directement). + +Sur Android et iOS, la réseau demande liste blanche (voir ci-dessus) n'est pas en mesure de filtrer tous les types de demandes (p. ex. `< video >` & WebSockets ne sont pas bloquées). Ainsi, en plus de la liste blanche, vous devez utiliser une balise `< meta >` de [Contenu politique de sécurité](http://content-security-policy.com/) sur toutes vos pages. + +Sur Android, support pour le CSP dans le système webview commence par KitKat (mais n'est disponible sur toutes les versions à l'aide du tableau de concordance WebView). + +Voici quelques exemples de déclarations de CSP pour vos pages `.html` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/it/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/it/README.md new file mode 100644 index 00000000..157dc036 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/it/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Questo plugin attua una politica di whitelist per spostarsi all'interno dell'applicazione webview in Cordova 4.0 + +## Piattaforme supportate Cordova + + * Android 4.0.0 o superiore + * iOS 4.0.0 o superiore + +## Navigazione Whitelist + +Controlla quali URL WebView stessa può essere esplorato. Si applica al solo primo livello navigazioni. + +Stranezze: su Android vale anche per gli iframe per non-schemi di http (s). + +Per impostazione predefinita, navigazioni solo agli URL `file://` , sono ammessi. Per consentire altri altri URL, è necessario aggiungere `<allow-navigation>` tag per il tuo `config. XML`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## Whitelist intento + +Controlla quali URL app è consentito richiedere il sistema di apertura. Per impostazione predefinita, nessun esterno URL sono ammessi. + +Su Android, ciò equivale all'invio di un intento di tipo BROWSEABLE. + +Questa whitelist non si applica ai plugin, solo i collegamenti ipertestuali e chiamate a `Window`. + +In `config. XML`, aggiungere tag `<allow-intent>` , simile al seguente: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Rete richiesta Whitelist + +Controlli che le richieste di rete (immagini, XHRs, ecc.) sono consentiti (tramite ganci nativo di cordova). + +Nota: Si consiglia di che utilizzare un criterio di protezione contenuti (Vedi sotto), che è più sicuro. La whitelist è principalmente storico per visualizzazioni Web che non supportano la CSP. + +In `config. XML`, aggiungere tag `< access >` , simile al seguente: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Senza qualsiasi tag `< access >` , sono consentite solo le richieste di URL `file://` . Tuttavia, l'applicazione di Cordova predefinito include `< access origin = "*" >` per impostazione predefinita. + +Stranezza: Android consente anche alle richieste di https://ssl.gstatic.com/accessibility/javascript/android/ per impostazione predefinita, poiché questa operazione è necessaria per TalkBack funzionare correttamente. + +### Politica di sicurezza del contenuto + +Controlli che le richieste di rete (immagini, XHRs, ecc.) possono essere effettuate (via webview direttamente). + +Su Android e iOS, la rete richiesta whitelist (Vedi sopra) non è in grado di filtrare tutti i tipi di richieste (ad esempio non sono bloccate `< video >` & WebSockets). Così, oltre alla whitelist, è necessario utilizzare un tag `< meta >` [Content Security Policy](http://content-security-policy.com/) su tutte le pagine. + +Su Android, supporto per CSP all'interno webview sistema inizia con KitKat (ma è disponibile su tutte le versioni usando Crosswalk WebView). + +Ecco alcuni esempi di dichiarazioni di CSP per le pagine `HTML` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/ja/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/ja/README.md new file mode 100644 index 00000000..6db17f1e --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/ja/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +このプラグイン実装コルドバ 4.0 アプリケーション webview をナビゲートするためのホワイト リスト ポリシー + +## サポートされているコルドバのプラットフォーム + + * アンドロイド 4.0.0 以上 + * iOS 4.0.0 以上 + +## ナビゲーションのホワイト リスト + +WebView 自体に移動に Url を制御します。最上位ナビゲーションのみに適用されます。 + +癖: Android にもに適用されますの iframe 非-[http スキーム。 + +既定では、ナビゲーション、 `file://`の Url にのみ許可されます。その他の他の Url を許可するように、 `config.xml`に`<allow-navigation>`タグを追加する必要があります。 + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## インテントのホワイト リスト + +どの Url を開くようにシステムを聞いて、アプリに許可を制御します。 既定では、外部 Url 許可されません。 + +人造人間、これは型 BROWSEABLE の意図を送信することに相当します。 + +このホワイト リストはプラグインのみハイパーリンクおよび`window.open()`への呼び出しには適用されません。. + +`Config.xml`内の`<allow-intent>`タグは、このようなを追加します。 + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## ネットワーク要求のホワイト リスト + +ネットワーク要求コントロール (画像、XHRs 等) (コルドバ ネイティブ フック) を介して行われることが。 + +注: より安全なコンテンツ セキュリティ ポリシー (下記参照) を使用してお勧めします。 このホワイト リストほとんどの CSP をサポートしていない web 表示のために歴史的です。 + +`Config.xml`内のこのような`<access>`タグを追加します。 + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +`<access>`タグ、なし`file://` Url に要求のみを許可します。 ただし、既定のコルドバ アプリケーションが含まれています`<access origin="*">`デフォルトで。 + +気まぐれ: アンドロイドも要求できます https://ssl.gstatic.com/accessibility/javascript/android/デフォルトでは、トークが正常に機能するために必要ですので。 + +### コンテンツのセキュリティ ポリシー + +ネットワーク要求コントロール (画像、XHRs 等) (直接 webview) を介して行われることが。 + +Android と iOS は、ネットワーク要求ホワイト リスト (上記参照) はすべての種類の要求 (例: `< ビデオ >` & Websocket がふさがれていない) をフィルター処理できません。 だから、ホワイト リストに加えてすべてのページに[コンテンツ セキュリティ ポリシー](http://content-security-policy.com/) `< meta >`タグを使用する必要があります。 + +Android 上システム webview 内 CSP サポート キットカットから始まります (しかし横断歩道 WebView を使用してすべてのバージョンで利用可能です)。 + +`.Html`ページのいくつかの例 CSP の宣言は次のとおりです。 + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/ko/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/ko/README.md new file mode 100644 index 00000000..4cbae914 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/ko/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +이 플러그인 구현 코르도바 4.0 응용 프로그램 webview를 탐색에 대 한 허용 정책 + +## 지원된 코르도바 플랫폼 + + * 안 드 로이드 4.0.0 이상 + * iOS 4.0.0 이상 + +## 탐색 허용 + +WebView 자체가 탐색할 수 있는 Url을 제어 합니다. 최상위 탐색에만 적용 됩니다. + +단점: 안 드 로이드에도 적용 됩니다 iframe에 대 한 비-프로토콜인 계획. + +기본적으로 탐색 `file://` Url에만 사용할 수 있습니다. 다른 다른 Url을 허용 하려면 `config.xml`에 `< allow-navigation >` 태그를 추가 해야 합니다. + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## 의도 허용 + +App 시스템 열을 게 허용 되는 Url을 제어 합니다. 기본적으로 외부 Url은 사용할 수 있습니다. + +안 드 로이드에이 형식의 BROWSEABLE 의도 보내는 것 같습니다. + +이 허용 된 플러그인, 하이퍼링크 및 `window.open ()` 호출에 적용 되지 않습니다.. + +`Config.xml`에이 같은 `< allow-intent >` 태그를 추가 합니다. + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## 네트워크 요청 허용 + +요청을 네트워크 컨트롤 (이미지, XHRs, 등) (코르도바 네이티브 후크)를 통해 할 수 있습니다. + +참고: 당신이 사용 콘텐츠 보안 정책 (아래 참조), 더 안전한 것이 좋습니다. 이 허용은 CSP를 지원 하지 않는 webviews에 대 한 역사적. + +`Config.xml`에이 같은 `< access >` 태그를 추가 합니다. + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +어떤 `< access >` 태그 없이 요청 `file://` Url 사용할 수 있습니다. 그러나 기본 코르도바 응용 프로그램을 포함 하는, `< access origin="*" >` 기본적으로. + +특질: 안 드 로이드 또한 수 있습니다 요청을 https://ssl.gstatic.com/accessibility/javascript/android/ 기본적으로 필요 제대로 작동 하려면 의견 이므로. + +### 콘텐츠 보안 정책 + +요청을 네트워크 컨트롤 (이미지, XHRs, 등) (webview 직접)를 통해 할 수 있습니다. + +안 드 로이드와 iOS에 네트워크 요청 허용 (위 참조)는 모든 종류의 요청 (예: `< 비디오 >` & WebSockets 차단 되지 않습니다)를 필터링 할 수 없습니다. 그래서, 허용, 뿐만 아니라 귀하의 모든 페이지에 [콘텐츠 보안 정책](http://content-security-policy.com/) `< meta >` 태그를 사용 해야 합니다. + +안 드 로이드, 시스템 webview 내에서 CSP에 대 한 지원을 KitKat 시작 (하지만 횡단 보도 WebView를 사용 하 여 모든 버전에서 사용할 수). + +다음은 `.html` 페이지에 대 한 몇 가지 예제 CSP 선언입니다. + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/pl/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/pl/README.md new file mode 100644 index 00000000..ecdc3d5c --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/pl/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +Ten plugin wdraża polityki białej nawigacja widoku sieci Web aplikacji na Cordova 4.0 + +## Cordova obsługiwanych platform + + * Android 4.0.0 lub powyżej + * iOS 4.0.0 lub powyżej + +## Biała lista nawigacji + +Kontroluje, których adresy URL widoku sieci Web, samej można nawigować do. Dotyczy tylko najwyższego poziomu nawigacje. + +Dziwactwa: na Android to dotyczy także IFRAME do nie-http (s) systemów. + +Domyślnie, nawigacje tylko do URLi `file://` , są dozwolone. Aby zezwolić na inne adresy URL, należy dodać Tagi `< allow-navigation >` do pliku `config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## Zamiarem biała + +Kontroluje, których adresy URL aplikacji jest możliwość zapytać systemem otwierania. Domyślnie nie ma zewnętrznych adresów URL są dozwolone. + +Na Android to przyrównuje do wysyłania zamiarem typu BROWSEABLE. + +Ta biała nie ma zastosowania do pluginów, tylko hiperłącza i wywołania `window.open()`. + +W `pliku config.xml`dodawanie tagów `< allow-intent >` , jak to: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## Sieci wniosek biała + +Formanty, które sieci żądań (obrazy, XHRs, itp.) mogą być wykonane (za pośrednictwem cordova rodzimych haki). + +Uwaga: Zalecamy, że używasz treści polityki bezpieczeństwa (patrz poniżej), który jest bardziej bezpieczne. Ta Biała jest głównie historyczne dla webviews, które nie obsługują CSP. + +W `pliku config.xml`dodawanie tagów `< access >` , jak to: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +Bez żadnych tagów `< access >` dozwolone są tylko żądania do URLi `file://` . Jednak domyślnie Cordova aplikacja zawiera `< access origin = "*" >` domyślnie. + +Cokół: Android pozwala również żądania do https://ssl.gstatic.com/accessibility/javascript/android/ domyślnie, ponieważ jest to wymagane dla TalkBack wobec funkcja poprawnie. + +### Zasady zabezpieczeń zawartości + +Formanty, które sieci żądań (obrazy, XHRs, itp.) mogą być wykonane (za pomocą widoku sieci Web bezpośrednio). + +Na Androida i iOS biała żądanie sieci (patrz wyżej) nie jest w stanie filtrować wszystkie rodzaje wniosków (np. `< video >` & WebSockets nie są zablokowane). Tak oprócz białej listy, należy użyć tagu `< meta >` [Treści polityki bezpieczeństwa](http://content-security-policy.com/) na wszystkich stronach. + +Na Android wsparcie dla CSP w ramach systemu widoku sieci Web zaczyna KitKat (ale jest dostępne we wszystkich wersjach przy użyciu widoku sieci Web przejście dla pieszych). + +Oto niektóre przykład CSP deklaracje dla strony `HTML` : + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/doc/zh/README.md b/StoneIsland/plugins/cordova-plugin-whitelist/doc/zh/README.md new file mode 100644 index 00000000..c2c7e112 --- /dev/null +++ b/StoneIsland/plugins/cordova-plugin-whitelist/doc/zh/README.md @@ -0,0 +1,148 @@ +<!-- +# license: Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +--> + +# cordova-plugin-whitelist + +這個外掛程式實現一個用於導航在科爾多瓦 4.0 應用程式 web 視圖的白名單策略 + +## 支援的科爾多瓦平臺 + + * Android 4.0.0 或以上 + * iOS 4.0.0 或以上 + +## 導航白名單 + +控制 web 視圖本身可以導航到的 Url。適用于頂級導航只。 + +怪癖: 在 Android 上它也適用于 iframe 的非-結計畫。 + +預設情況下,只有到`file://` Url 導航允許。若要允許其他其他 Url,必須將`<allow-navigation>`標籤添加到您的`config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + + +## 科爾多瓦-外掛程式-白名單 + +控制應用程式允許讓系統打開的 Url。 預設情況下,沒有外部 Url 允許。 + +在 android 系統,這相當於發送類型 BROWSEABLE 的意圖。 + +此白名單並不適用于只超連結和對`window.open ()`調用的外掛程式. + +在`config.xml`中添加`<allow-intent>`標籤,像這樣: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + + +## 網路請求白名單 + +網路請求的控制項 (圖像,XHRs 等) 允許 (通過科爾多瓦本機掛鉤)。 + +注意: 我們建議你使用內容的安全性原則 (見下文),這是更安全。 此白名單大多是為 webviews 不支援 CSP 的歷史。 + +在`config.xml`中添加`<access>`標記,像這樣: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + + +沒有任何`<access>`標籤,只到`file://` Url 允許請求。 但是,預設的科爾多瓦應用程式包括`<access origin="*">` ,預設情況。 + +怪癖: Android 還允許對 HTTPs://ssl.gstatic.com/accessibility/javascript/android/ 請求預設情況下,因為這是對講正常所需。 + +### 內容安全政策 + +網路請求的控制項 (圖像,XHRs 等) 允許 (通過 web 視圖直接)。 + +對 Android 和 iOS,網路請求白名單 (見上文) 是不能夠過濾所有類型的請求 (例如`<video>` & Websocket 未被阻止)。 那麼,除了白名單中,你應使用[內容安全性原則](http://content-security-policy.com/) `< 元 >`標記您的所有頁面。 + +在 android 系統,對 CSP 系統 web 視圖的支援開始奇巧 (但是是上使用 web 視圖人行橫道上的所有版本可用)。 + +下面是一些示例 CSP 聲明為`.html`頁面: + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
\ No newline at end of file diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/package.json b/StoneIsland/plugins/cordova-plugin-whitelist/package.json index 2c72e256..ae0d386c 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/package.json +++ b/StoneIsland/plugins/cordova-plugin-whitelist/package.json @@ -1,34 +1,32 @@ { "name": "cordova-plugin-whitelist", - "version": "1.0.0", + "version": "1.3.0", "description": "Cordova Whitelist Plugin", "cordova": { "platforms": [ - "android", - "ios" + "android" ] }, "repository": { "type": "git", - "url": "https://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist.git" + "url": "https://github.com/apache/cordova-plugin-whitelist" }, "keywords": [ "cordova", "whitelist", "ecosystem:cordova", - "cordova-android", - "cordova-ios" + "cordova-android" ], - "engines": [ - { - "name": "cordova-android", - "version": ">=4.0.0-dev" - }, - { - "name": "cordova-ios", - "version": ">=4.0.0-dev" + "engines": { + "cordovaDependencies": { + "0.0.0": { + "cordova-android": ">=4.0.0" + }, + "2.0.0": { + "cordova": ">100" + } } - ], + }, "author": "Apache Software Foundation", "license": "Apache 2.0" } diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/plugin.xml b/StoneIsland/plugins/cordova-plugin-whitelist/plugin.xml index 2ec60b3c..21f7b54b 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/plugin.xml +++ b/StoneIsland/plugins/cordova-plugin-whitelist/plugin.xml @@ -20,14 +20,14 @@ <plugin xmlns="http://apache.org/cordova/ns/plugins/1.0" id="cordova-plugin-whitelist" - version="1.0.0"> + version="1.3.0"> <name>Whitelist</name> <description>Cordova Network Whitelist Plugin</description> <license>Apache 2.0</license> <keywords>cordova,whitelist,policy</keywords> <engines> - <engine name="cordova-android" version=">=4.0.0-dev" /> + <engine name="cordova-android" version=">=4.0.0" /> </engines> <platform name="android"> @@ -40,8 +40,11 @@ <source-file src="src/android/WhitelistPlugin.java" target-dir="src/org/apache/cordova/whitelist" /> - <js-module src="whitelist.js" name="whitelist"> - <runs /> - </js-module> + <info> + This plugin is only applicable for versions of cordova-android greater than 4.0. If you have a previous platform version, you do *not* need this plugin since the whitelist will be built in. + </info> </platform> + + + </plugin> diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java b/StoneIsland/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java index 4e4f57e1..36567886 100755..100644 --- a/StoneIsland/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java +++ b/StoneIsland/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java @@ -21,11 +21,11 @@ package org.apache.cordova.whitelist; import org.apache.cordova.CordovaPlugin; import org.apache.cordova.ConfigXmlParser; +import org.apache.cordova.LOG; import org.apache.cordova.Whitelist; import org.xmlpull.v1.XmlPullParser; import android.content.Context; -import android.util.Log; public class WhitelistPlugin extends CordovaPlugin { private static final String LOG_TAG = "WhitelistPlugin"; @@ -90,7 +90,7 @@ public class WhitelistPlugin extends CordovaPlugin { boolean external = (xml.getAttributeValue(null, "launch-external") != null); if (origin != null) { if (external) { - Log.w(LOG_TAG, "Found <access launch-external> within config.xml. Please use <allow-intent> instead."); + LOG.w(LOG_TAG, "Found <access launch-external> within config.xml. Please use <allow-intent> instead."); allowedIntents.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); } else { if ("*".equals(origin)) { diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h b/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h deleted file mode 100755 index d0b93654..00000000 --- a/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h +++ /dev/null @@ -1,31 +0,0 @@ -/* - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - */ - -#import <UIKit/UIKit.h> -#import <Cordova/CDVPlugin.h> -#import <Cordova/CDVWhitelist.h> - -@interface CDVNavigationWhitelistPlugin : CDVPlugin {} - -@property (nonatomic, readonly, strong) CDVWhitelist* whitelist; // readonly for public - -- (BOOL)shouldAllowNavigationToURL:(NSURL *)url; -- (BOOL)shouldAllowRequestForURL:(NSURL *)url; - -@end diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m b/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m deleted file mode 100755 index 5895e89b..00000000 --- a/StoneIsland/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m +++ /dev/null @@ -1,89 +0,0 @@ -/* - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - */ - -#import "CDVNavigationWhitelistPlugin.h" -#import <Cordova/CDVViewController.h> - -#pragma mark CDVNavigationWhitelistConfigParser - -@interface CDVNavigationWhitelistConfigParser : NSObject <NSXMLParserDelegate> {} - -@property (nonatomic, strong) NSMutableArray* whitelistHosts; - -@end - -@implementation CDVNavigationWhitelistConfigParser - -@synthesize whitelistHosts; - -- (id)init -{ - self = [super init]; - if (self != nil) { - self.whitelistHosts = [[NSMutableArray alloc] initWithCapacity:30]; - [self.whitelistHosts addObject:@"file:///*"]; - [self.whitelistHosts addObject:@"content:///*"]; - [self.whitelistHosts addObject:@"data:///*"]; - } - return self; -} - -- (void)parser:(NSXMLParser*)parser didStartElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName attributes:(NSDictionary*)attributeDict -{ - if ([elementName isEqualToString:@"allow-navigation"]) { - [whitelistHosts addObject:attributeDict[@"href"]]; - } -} - -- (void)parser:(NSXMLParser*)parser didEndElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName -{ -} - -- (void)parser:(NSXMLParser*)parser parseErrorOccurred:(NSError*)parseError -{ - NSAssert(NO, @"config.xml parse error line %ld col %ld", (long)[parser lineNumber], (long)[parser columnNumber]); -} - - -@end - -#pragma mark CDVNavigationWhitelistPlugin - -@interface CDVNavigationWhitelistPlugin () {} -@property (nonatomic, strong) CDVWhitelist* whitelist; -@end - -@implementation CDVNavigationWhitelistPlugin - -@synthesize whitelist; - -- (void)setViewController:(UIViewController *)viewController -{ - if ([viewController isKindOfClass:[CDVViewController class]]) { - CDVWhitelistConfigParser *whitelistConfigParser = [[CDVWhitelistConfigParser alloc] init]; - [(CDVViewController *)viewController parseSettingsWithParser:whitelistConfigParser]; - self.whitelist = [[CDVWhitelist alloc] initWithArray:whitelistConfigParser.whitelistHosts]; - } -} - -- (BOOL)shouldAllowNavigationToURL:(NSURL *)url -{ - return [self.whitelist URLIsAllowed:url]; -} -@end diff --git a/StoneIsland/plugins/cordova-plugin-whitelist/whitelist.js b/StoneIsland/plugins/cordova-plugin-whitelist/whitelist.js deleted file mode 100755 index 74d7a99d..00000000 --- a/StoneIsland/plugins/cordova-plugin-whitelist/whitelist.js +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * -*/ - -if (!document.querySelector('meta[http-equiv=Content-Security-Policy]')) { - var msg = 'No Content-Security-Policy meta tag found. Please add one when using the cordova-plugin-whitelist plugin.'; - console.error(msg); - setInterval(function() { - console.warn(msg); - }, 10000); -} |