cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From infil00p <>
Subject [GitHub] cordova-plugin-inappbrowser issue #99: inAppBrowser custom application schem...
Date Wed, 27 Sep 2017 18:46:52 GMT
Github user infil00p commented on the issue:
    Years ago, we added the Intent whitelist to Android to prevent Android from launching
third-party intents that aren't whitelisted.
    Since the whole point of the InAppBrowser as it was originally intended to be used is
to allow untrusted Web content to be run in a sandbox away from the Cordova API, therefore
we have to treat the contents themselves as untrusted.  The problem is that there's no way
to communicate that for the user except for the address bar, which can be disabled.  It's
not clear to the user that they actually made it to the proper OAuth page.  Of course, we
don't allow for the InAppBrowser to use Self-Signed Certificates, which does help mitigate
this, but we have PRs open for people who want InAppBrowser to do so.
    So, if Cordova can't open random intents, neither should the InAppBrowser, and I would
actually consider it a bug for iOS to be able to do so.  The InAppBrowser as it is currently
designed could be prone to phishing attacks if we start giving it more and more functionality.
 Now, if someone was to make this robust enough to check the intent whitelist to see if Cordova
could actually launch this intent, I might consider adopting this, but currently there's no
way I'd accept this PR as it is.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message