Hmmm. Symlinks will break if the code ever touches Windows but they could be
safely created as a part of a before_compile hook since that would only ever
run on OSX practically speaking. (after_prepare would still fire if you add
iOS on Windows - which is something we talked about being a pote
situation. Cordova apps in general are affected. You likely
should consider upgrading to Cordova Android 3.7.2 (if using < 5.0.0) or 4.0.2
(if using Cordova 5.0.0+) given you likely have a security focused app.
-Chuck
-Original Message-
From: Chuck Lantz [mailto:cla...@microsoft.com]
S
It is a security risk that was identified but impact is not known.
Fortunately there is a simple workaround. See this article for how to fix this
problem:
https://github.com/Microsoft/cordova-docs/tree/master/tips-and-workarounds/android/security-05-26-2015
-Chuck
-Original Message-
Definitely.
Note that 4.3.0 is also broken - We likely need to look at a 4.3.1 given the
level of change in 5.0.0.
-Chuck
-Original Message-
From: Steven Gill [mailto:stevengil...@gmail.com]
Sent: Thursday, May 7, 2015 12:08 PM
To: dev@cordova.apache.org
Subject: Re: [DISCUSS] Rapid r
t seems to work - Anyone know if there are
potential unintended side-effects of doing that?
-Chuck
-Original Message-----
From: Chuck Lantz [mailto:cla...@microsoft.com]
Sent: Thursday, May 7, 2015 8:05 AM
To: dev@cordova.apache.org
Subject: RE: Cordova Plugins with Symlinks
Possibly
ks on windows?
On Wed, May 6, 2015 at 2:39 PM, Chuck Lantz wrote:
> Yeah that was one of the alternatives I was thinking about as a part
> of that pre-publish step I mentioned. Really, you'd need to either:
>
> 1. Provide a general mechanism for all symlinks using a metadata
authors to work around this problem" and even as a
> pre-publish (or analysis) step that checks whether this might be a
> problem, and warns them.
>
> On Wed, May 6, 2015 at 9:54 AM, Chuck Lantz
> wrote:
> > Yeah, I agree symlinks should be avoided, but what Ally highli
ject types support adding a reference to a file or folder, we should
leverage this directly.
Of course, this could possibly lead to forward vs back slash issues, but should
be easier than running hook hacks.
At least I think we should explore this way.
> On May 6, 2015, at 7:53 AM, Chuck
Hey folks,
So I’ve started to see some issues come up with certain Cordova plugins when
devs are mixing a Windows and OSX environment together when developing an app.
Digging into it a bit, it looks like root cause is that there are some
situations where iOS plugin implementations with custom f
: Re: Proposal for CSP support
Reason is that the current tag is used for network requests, which is
what CSP is replacing.
and are different concepts, so there'd be no
(intentional) overlap with existing tags.
On Tue, Feb 24, 2015 at 8:01 PM, Chuck Lantz wrote:
> Yeah that was
ll platforms use the same primitives.
Ian's intent and navigation whitelists work on Android and iOS atm I believe.
On Tue, Feb 24, 2015 at 1:31 PM, Chuck Lantz wrote:
> I asked Kevin Hill from the Windows team working on the security model
> for Windows apps in Windows 10 to take
s6LB1_giodyR4QwBMQssLKP_UxACZif
> k-VYVX2T8/edit?usp=sharing
>
> In that doc, I've attempted to address the questions/comments both
> from your email, as well as Michal's earlier response. I'll let all
> interested parties continue the conversation in the doc.
>
&
Hey Jason - Glad to see this proposal! A number of us at Microsoft have been
talking along these same lines actually. Windows 10 apps will include CSP
support as the latest version of IE has support so I'd say we're completely in
support of moving Cordova apps down this path. In fact I'd want
I think the incident over the weekend pointed out that people are in fact
pinning versions in plugin dependencies to avoid unexpected regressions or in
apps due to things like security reviews. (Ex: Each version of a piece of
software that is published inside an app needs to go through a legal
;
> -- Nick
>
> On Mon, Feb 16, 2015 at 11:35 AM, Chuck Lantz
> wrote:
>
>> Awesome! Do let us know if you need help. Nikhil was digging in a
>> bit but we'll hold given this update.
>>
>> -Chuck
>>
>> From: Steven Gill [mailto:stevengil...@
Awesome! Do let us know if you need help. Nikhil was digging in a bit but
we'll hold given this update.
-Chuck
From: Steven Gill [mailto:stevengil...@gmail.com]
Sent: Monday, February 16, 2015 11:29 AM
To: Chuck Lantz
Cc: dev@cordova.apache.org
Subject: Re: Plugin history purged from reg
Yeah Visual Studio is in a similar boat for projects where devs have not used a
plugin before. (We fortunately switched to storing the plugins in the project
in our latest update so existing projects work.) We're directing people to use
git URIs near term when acquiring plugins.
Steve, let us
g it. only difference between it and the commit
>> before its the adding of -dev.
>>
>> On Fri, Feb 13, 2015 at 7:30 PM, Chuck Lantz
>> wrote:
>>
>>> So that would indicate things are recoverable at least - Odd that
>>> http://registry.cordova.io/o
27;m thinking of is an existing project that doesn't
> have
> > > the
> > > > > platforms folder checked into source control. A developer checks
> out
> > > the
> > > > > project then runs cordova platform add for any of the platforms
> t
]
Sent: Friday, February 13, 2015 3:42 PM
To: dev@cordova.apache.org
Cc: Chuck Lantz
Subject: Re: Plugin history purged from registry?
On Fri, Feb 13, 2015 at 3:18 PM, Steven Gill
mailto:stevengil...@gmail.com>> wrote:
plugman info org.apache.cordova.geolocation still lists all of the old ve
Darryl appears to be correct - I just cleared my .plugman cache and any pinned
plugins stopped working because it was unable to fetch. That's a big problem.
-Chuck
-Original Message-
From: dvpdin...@gmail.com [mailto:dvpdin...@gmail.com] On Behalf Of Darryl Pogue
Sent: Friday, February
that all new apps have a hard-coded
android:name. Only existing apps should need to use the flag.
On Fri, Feb 13, 2015 at 10:15 AM, Chuck Lantz wrote:
> Forgot to mention - The fix we talked about was the ability to set
> "project name" independent of the display name (re
e time to merge it in.
-Chuck
-Original Message-----
From: Chuck Lantz [mailto:cla...@microsoft.com]
Sent: Friday, February 13, 2015 6:57 AM
To: dev@cordova.apache.org
Subject: RE: Thoughts on CB-7827
To be clear, CB-6511 fixes app names that are non-English which is clearly not
an edge ca
To be clear, CB-6511 fixes app names that are non-English which is clearly not
an edge case. For example, previous to this change it was impossible to build
an app for Android with a Chinese display name. You'll note Cordova
documentation is available in Chinese.
-Chuck
-Original Message--
+1
The main reason we left windows8 as an alias is we didn't want to break
existing plugins because of a name change given the code was compatible. So,
the same goes for referencing windows8 in plugin.xml - that will apply to the
cordova-windows platform for backwards compatibility reasons. (Th
orth to look at it? If no, we can wait until Dan is back
> (hope he feels better soon) I'm happy to help if needed.
>
> 2015-01-28 10:05 GMT-06:00 Chuck Lantz :
>
> > Dan Levine whom some of you met at PhoneGap day actually has been
> > working on a PR based on Subhag
> > On Thu, Oct 9, 2014 at 2:17 PM, Jesse
> wrote:
> > > >
> > > > > I am liking all of this.
> > > > > Are we ready to move this to an editable plaintext doc to
> collaborate
> > > on?
> > > > >
> > > > > I agree that we should take advantage o
Andrea,
Some folks in the developer division may be able to help out here. I'll
connect you with our Cordova contributors.
-Chuck
From: Andrea Tino [mailto:andrea.t...@microsoft.com]
Sent: Friday, January 23, 2015 12:10 AM
To: dev@cordova.apache.org
Cc: Vincent Nicolas; Michael Helligsø Svinth
Folks,
I am also hearing that this is a problem for CLI users on a new machine or if
they have just started using Cordova for the first time. "www" seems to result
in a connection refused.
Creating a new cordova project with name "HelloCordova" and id "io.cordova.hello
cordova" at location "D:\
For those joining the thread late - Here's the Google doc link that's trying to
consolidate the conversation:
https://docs.google.com/document/d/1qKjhzSf48ybGg2GFZPtjXP8dkF4Z5Jnc7FU41V3-jFc/edit
-Chuck
-Original Message-----
From: Chuck Lantz [mailto:cla...@microsoft.com]
Sent:
.
>>>>
>>>> 'cordova save'
>>>> Saves all installed platforms and plugins into config.xml
>>>>
>>>> 'cordova restore'
>>>> Restores all platforms and plugins from config.xml. similar to
>
+1 on automating.
That's why Mefire's PR for platform add just uses the version information in
config.xml if it is present. I think the idea behind "--save" was to make this
npm-like so that if a value is already in config.xml, then you can also update
it by specifying a different version and
e
> legacy-whitelist plugin.
>
> Maybe:
> PATTERN
> PATTERN
>
> On Wed, Dec 17, 2014 at 5:29 PM, Chuck Lantz wrote:
> >
> > Yeah, I also am thinking about "upgrade" situations where someone
> > takes
> an
> > existing app and moves it to
I didn't reply when I saw this initially - but this is actually really cool
particularly if you're trying out bug fixes. Visual Studio tracks edits and
automatically reinstalls plugins for this reason (which you can do if you have
a project system watching edits).
-Chuck
-Original Message-
familiarity with the old syntax trumps the fact that we're changing the
behaviour.
On Wed Dec 17 2014 at 11:47:02 AM Chuck Lantz wrote:
> I suppose that is a good question. I took a look at the Widget Access
> Request Policy W3C spec where that element comes from. It's actual
olicy. I've been working on that
in parallel with Android.
Do we want to use for Nav? I wasn't sure, given its history, and the
fact that we're changing its behaviour. Is it better to stick with the familiar
tag and change what it tries to do? Or create a new tag and deprecate ?
+1 to converting iOS scripts to node - right now if developers have the iOS
platform in source control and check it out on Windows (or another team member
moves it there manually) the execute bit is lost once it hits the NTFS
filesystem and the platform breaks if you check it in or move it back.
-
From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve
Sent: Tuesday, December 16, 2014 7:21 AM
To: dev
Subject: Re: How to handle CSP for XHR in Cordova 4.0
On Mon, Dec 15, 2014 at 8:19 PM, Chuck Lantz wrote:
>
> Near term, for Windows 8.0/8.1, a custom secur
ike inline or eval disabled.
-Chuck
-Original Message-
From: Ian Clelland [mailto:iclell...@chromium.org]
Sent: Monday, December 15, 2014 11:17 AM
To: dev@cordova.apache.org
Subject: Re: How to handle CSP for XHR in Cordova 4.0
On Mon Dec 15 2014 at 11:28:43 AM Chuck Lantz wrote:
For the Windows platform, IE 10 and 11 support CSP 1.0 - there's one subtle
difference (X-Content-Security-Policy vs Content-Security-Policy in the HTTP
header). The Win 10 Tech Preview already has full CSP support. In general,
the conventional wisdom is to push app models towards the CSP and
tualbox.
>
> Thanks!
>
>
> On Fri, Dec 5, 2014 at 1:04 AM, Chuck Lantz wrote:
>
>> Hey Ally,
>>
>> Thanks for letting us know!
>>
>> Here's what I do: The Windows Phone emulator works inside of
>> Parallels on an OSX machine. Y
idn't try ><, no luck on VMware or
> virtualbox.
>
> Thanks!
>
>
> On Fri, Dec 5, 2014 at 1:04 AM, Chuck Lantz wrote:
>
>> Hey Ally,
>>
>> Thanks for letting us know!
>>
>> Here's what I do: The Windows Phone emulator works inside
Hey Ally,
Thanks for letting us know!
Here's what I do: The Windows Phone emulator works inside of Parallels on an
OSX machine. You just need to bump up the RAM and CPUs a bit in your VM and
check "Enable nested virtualization."
-Chuck
-Original Message-
From: Ally Ogilvie [mailto:
I will be there - Looking forward to meeting everyone there.
-Chuck
-Original Message-
From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve
Sent: Monday, October 20, 2014 10:27 AM
To: dev
Subject: Re: PhoneGap day
Sorry to miss :(
On Mon, Oct 20, 2014 at 9:10
gt;
> > >> > wrote:
> > >> > > >> > >
> > >> > > >> > > > As is 4.
> > >> > > >> > > >
> > >> > > >> > > > This is more of an outreach, marketing, blogging,
> tweeting,
> > >> etc
>
with a vote for 10.0.0 ? And if someone feels strongly
> > about calling it something the vote could be cancelled !!
> >
> > On 10/9/14, 2:41 PM, "Chuck Lantz" wrote:
> >
> > >Yeah agreed - Vladimir squashed the bug and what was at once point
> > &
amp; cordova --restore, we should be able to
recommend a workflow that is easily reproducible on any machine.
On Thu, Oct 9, 2014 at 1:44 PM, Chuck Lantz wrote:
> Okay - so - there's a pretty nasty CLI blocker bug right now. Plugins
> with dependencies don't install (this affects all pla
Okay - so - there's a pretty nasty CLI blocker bug right now. Plugins with
dependencies don't install (this affects all platforms). In my opinion, we
need to get a CLI release out really soon. Are we closed on this topic, or do
we need to look at doing the old process to get this out the door
One option here could be to build off of the idea of the "res" folder that is
in the current samples for splashscreens and icons and introduce something like
"res/native". Files placed here would be put into the native project folders
"before_prepare" and would be further enhanced by the plugin
at 2:49 PM, Chuck Lantz wrote:
> Got it. I know it can be used with Windows apps so I incorrectly
> jumped to a conclusion (though there are restrictions there around
> HTTPS being required). I misinterpreted the spellcaster comment about
> saving to the "application ca
ppcache in webview based apps…unless we implement it as a plugin
(which we won't b/c appcache is a sort of terrible spec)
On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz wrote:
> Out of curiosity, for production use where you presumably want people
> to take the updates (say because you do
Out of curiosity, for production use where you presumably want people to take
the updates (say because you don't want to keep your web service back-end
supporting older versions of your app), wouldn't simply using an offline
appcache with a hosted source achieve some of the same goals? At a cer
Yeah this is a platform restriction exclusively related to the security model
related to referencing JavaScript code that is not inside the app package.
There are no restrictions on XHR style calls or general content. At the moment
you need to include that content in a webview control (custom x-
ve list). That's what it was trying to fix.
From: Treggiari, Leo<mailto:leo.treggi...@intel.com>
Sent: 8/13/2014 6:48 PM
To: Chuck Lantz<mailto:cla...@microsoft.com>;
dev@cordova.apache.org<mailto:dev@cordova.apache.org>
Cc: Treggiari,
My two cents - there are three things here:
1. App metadata
2. Project metadata
3. Workspace metadata
$project/.cordova/config.json is probably the closest thing to an IDE project
file. The closest thing to workspace level settings is
$home/.cordova/config.json.
Given config.xml's roots, it'
amp; friends
On Wed, Aug 13, 2014 at 01:21:24AM +, Chuck Lantz wrote:
> Yes, good point - Took a look at the PR with platforms - seems like a similar
> concept but using the engine element which as I think about it would probably
> be better anyway.
>
>
>
>
as a perf measure either.
-Chuck
-Original Message-
From: Parashuram Narasimhan (MS OPEN TECH)
Sent: Tuesday, August 12, 2014 4:05 PM
To: dev@cordova.apache.org; Chuck Lantz
Subject: RE: Feedback on "cordova plugin save" & friends
Given that we are looking at decoupling
+1
That same pattern could be applied to platforms actually with an additional
version attribute:
... things like icons, splaschreens, and maybe even packaging details
go here ...
We could also follow a similar model if we wanted to say what top level cordova
version was used to cre
A related topic as it pertains to CSP: If we are going down the CSP path, what
are people's thoughts on the security risks associated with inline script
("unsafe-inline") use as a part of the default policy - particularly from
content originating from outside of the Cordova app package? It's ob
To me it sounds like we're talking about something bigger than pinning: What
does a Cordova version actually mean?
When new macro-level "Cordova" features like splash screens and icons support
or perhaps coming up with a way to manage code signing and packaging without
going into native project
Hey folks, I'm on the Visual Studio team. I think my primary concern here
comes more from what we expect developers to understand and the loss of
predictability. If you go to the Cordova documentation and see "Cordova
3.5.0", and then grab the CLI, that comes with a certain set of assumptions.
The problem does seem to tie to platform implementations.
On the Visual Studio side, we have been seeing issues with both Android and iOS
failing to compile if the name of the app ( in config.xml not the
project) contains unicode characters. The reason this is special is it shows up
on device h
62 matches
Mail list logo
