Content Security Policy (CSP) #1672
Chrome Packaged Apps have CSP enabled by default to protects users against code injection attacks. In runtimes such as PhoneGap this isn't enabled by default, but developers can set the meta tag in the html document head. Like so:
This blocks inline scripts and other sources and only allows locally loaded scripts. E.g. the following code should not allowed to be executed:
Chrome blocks this code while node-webkit doesn't. Is there a reason for this?
The reason I'm asking is that we are porting our PGP mail client (https://whiteout.io) from chrome packaged apps to node-webkit. But this issue is basically a showstopper for us, as it could allow an attacker to get a hold of the user's private key should he be able to inject code somehow.
The text was updated successfully, but these errors were encountered:
I was under the impression that Chrome blocks it because Google was trying to assert its will on other developers to make them code their way. I'm a big fan of good coding practices, but I'm not a fan of having them be forced.
One thing I really like about node-webkit is the flexibility and control it gives me as a developer. If I need to do something a certain way, I can.
In short, I don't have a problem with CSP being enabled by default. I generally don't do things that avoid it being turned off. But the difference between Google Chrome and node-webkit is that in Chrome you as a developer have no power to turn it off.
I'm not suggesting that CSP be enforced, just that it is supported at all. Default or not.
As for Google. There are legitimate reasons to enforce CSP when privileged Apis are exposed as most developers understandably choose the path with the least friction, even if they sacrifice security along the way. It is the platform maker's responsibility to protect its users and good design often requires making the hard choice for others. Firefox Packaged Apps do this as well by the way: https://developer.mozilla.org/en-US/Marketplace/Publishing/Packaged_apps#Types_of_packaged_apps
2014-09-10 23:50 GMT+03:00 Tankred Hase firstname.lastname@example.org:
From: Gnor Tech <email@example.com> Fix nwjs/nw.js#1672