cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Hawkins (JIRA)" <>
Subject [jira] [Created] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
Date Mon, 22 Oct 2012 02:52:12 GMT
Kevin Hawkins created CB-1695:

             Summary: [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view
                 Key: CB-1695
             Project: Apache Cordova
          Issue Type: Bug
          Components: iOS
    Affects Versions: 2.2.0
         Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895
            Reporter: Kevin Hawkins
            Assignee: Shazron Abdullah

Registered NSURLProtocol objects respond to NSURLRequests across an application.  As such,
CDVURLProtocol handles all requests that would pass through any UIWebView in the application,
and applies Cordova's whitelist rules accordingly to each http(s) request.

This is an unreasonable overreach of authority, in an app where Cordova is only one component
of the app.  Consider the case where I have my own UIWebView (think ChildBrowser), and I want
to load arbitrary web content.  This web content has no access to the Cordova sandbox on the
device, and as such should not be subject to the security restrictions that limit requests
to whitelisted/trusted hosts.

The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against
the global CDVViewController registry, for /!gap_exec calls, should be extended to make the
same check against http(s) calls, and allow them without whitelist comparison for requests
that originate outside of any registered CDVViewController instances.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message