cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Cordova Wiki] Update of "BugtraqResonseDraft" by JoeBowser
Date Fri, 24 Jan 2014 21:45:18 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Cordova Wiki" for change notification.

The "BugtraqResonseDraft" page has been changed by JoeBowser:

Initial Draft

New page:
This is a draft response to the Bugtraq Public Disclosure done by Martin Georgiev, Suman Jana
and Vitaly Shmatikov at the University of Texas in Austin.

A month ago, we received a security disclosure regarding alleged Security Issues with Apache
Cordova on Android, namely the issues with the Whitelist
not working for various documents referenced by HTML pages.  That being said, this is a known
vulnerability that we explicitly documented in the PhoneGap
and Cordova documentation since Cordova 3.2.0.

Given the fact that Gingerbread is API 10, and the fact that Google and device manufacturers
are no longer actively maintaining this version of Android, we feel that this is an appropriate
response.  If you need your application to be secure from attacks on Gingerbread, we recommend
setting your minimum SDK level higher than 10, since Gingerbread is not a safe or secure platform.

In addition to this, when developing an application, everything that is loaded into the WebView
on Cordova has trusted access to the Cordova API.  This includes third-party ad networks.
 We recommend not using any web advertisers in this manner in your application, since this
is not trustworthy and to use third-party plugins to handle advertiser content, since web
advertisements are not meant for mobile applications and not only are they a security issue,
they offer a very poor user experience.

In addition to this, other claims were brought that were not security related.  This includes

''PhoneGap’s domain whitelisting on Android (API 11 or higher) and iOS does not adhere to
the same-origin policy.  Third-party scripts included using <script> tags are blocked
unless their source domain is whitelisted, even though these scripts execute in the origin
of the hosting page, not their source origin.''

This is by design.  All content is blocked if it does not come from a whitelisted domain to
prevent non-trusted domains to get access to the Cordova API.  This includes advertising networks.
 This further makes the point that web-based advertising networks should not be used with
Cordova.  Again, The purpose of Cordova is to provide web developers the ability to make hybrid
apps in a native context on the web.  The use case is to NOT display web pages, and not display
web advertiser content.

We welcome security submissions, but we request that when presenting a solution that the git
history of the project remain intact.  We have not been able to easily review the changes,
since they were done on an old major version of Cordova on a repository with the history removed,
making it difficult for us to port any of these changes.  We do not know if this was done
intentionally, but we prefer that patches be submitted either by e-mail or a github pull request.

View raw message