Chrome Packaged Apps have CSP enabled by default to protects users against code injection attacks. In runtimes such as PhoneGap this isn't enabled by default, but developers can set the meta tag in the html document head. Like so:
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
This blocks inline scripts and other sources and only allows locally loaded scripts. E.g. the following code should not allowed to be executed:
<script type="text/javascript">
alert('xss');
</script>
Chrome blocks this code while node-webkit doesn't. Is there a reason for this?
The reason I'm asking is that we are porting our PGP mail client (https://whiteout.io) from chrome packaged apps to node-webkit. But this issue is basically a showstopper for us, as it could allow an attacker to get a hold of the user's private key should he be able to inject code somehow.
Thanks
Chrome Packaged Apps have CSP enabled by default to protects users against code injection attacks. In runtimes such as PhoneGap this isn't enabled by default, but developers can set the meta tag in the html document head. Like so:
This blocks inline scripts and other sources and only allows locally loaded scripts. E.g. the following code should not allowed to be executed:
Chrome blocks this code while node-webkit doesn't. Is there a reason for this?
The reason I'm asking is that we are porting our PGP mail client (https://whiteout.io) from chrome packaged apps to node-webkit. But this issue is basically a showstopper for us, as it could allow an attacker to get a hold of the user's private key should he be able to inject code somehow.
Thanks