cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [2/2] docs commit: CB-8715 Update security guide for whitelist changes in Android 4.0.0 (close #272)
Date Wed, 25 Mar 2015 13:40:27 GMT
CB-8715 Update security guide for whitelist changes in Android 4.0.0 (close #272)


Branch: refs/heads/master
Commit: 074944bba598f573d08c9a08ebe1fcba31e0165b
Parents: 53a189b
Author: Jason Chase <>
Authored: Tue Mar 24 23:10:54 2015 -0400
Committer: Andrew Grieve <>
Committed: Wed Mar 25 09:40:20 2015 -0400

 docs/en/edge/guide/appdev/security/ | 10 ----------
 1 file changed, 10 deletions(-)
diff --git a/docs/en/edge/guide/appdev/security/ b/docs/en/edge/guide/appdev/security/
index 541e87f..9a8995e 100644
--- a/docs/en/edge/guide/appdev/security/
+++ b/docs/en/edge/guide/appdev/security/
@@ -34,18 +34,8 @@ The following guide includes some security best practices that you should
 * Read and understand the Whitelist Guide
-* By default, the Whitelist on a newly created app will allow access to every domain through
the `<access>` tag: 
-     `<access origin="*">`
-If you want network requests to be evaluated against the whitelist, then it is important
to change this and only allow the domains to which you need access. This can be done by editing
the application-level config file located at:
-     `{project}/config.xml` (recent projects) or `{project}/www/config.xml` (older projects)
-* Android's Whitelist on Cordova 2.9.x is considered secure, however, it was discovered that
if is included in the whitelist, would be able to pass the whitelist
test. This was fixed in Cordova 3.x.  
 * Domain whitelisting does not work on Android API 10 and below, and WP8 for iframes and
XMLHttpRequest. This means an attacker can load any domain in an iframe and any script on
that page within the iframe can directly access Cordova JavaScript objects and the corresponding
native Java objects. You should take this into consideration when building applications for
these platforms. In practice this means making sure you target an Android API higher than
10, and that if possible you do not use an iframe to load external content - use the inAppBrowser
plugin or other third-party plugins. 
-* On Android, as of Cordova 3.6.0, it is now necessary to whitelist URLs outside of your
application, if your application generates links to those URLs. If you application generates
`tel:`, `geo:`, `sms:`, `intent:` or similar URLs, or provides links to external content which
you expect to open up in the user's browser, then you will need to update your whitelist.
See the Whitelist Guide for details.
 ## Iframes and the Callback Id Mechanism
 If content is served in an iframe from a whitelisted domain, that domain will have access
to the native Cordova bridge. This means that if you whitelist a third-party advertising network
and serve those ads through an iframe, it is possible that a malicious ad will be able to
break out of the iframe and perform malicious actions. Because of this, you should generally
not use iframes unless you control the server that hosts the iframe content.  Also note that
there are third party plugins available to support advertising networks. Note that this statement
is not true for iOS, which intercepts everything including iframe connections. 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message