cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon MacDonald (JIRA)" <>
Subject [jira] [Resolved] (CB-1572) Whitelisting not enforced in unsigned Android app
Date Tue, 02 Oct 2012 15:03:07 GMT


Simon MacDonald resolved CB-1572.

       Resolution: Duplicate
    Fix Version/s: 2.2.0

I believe this is a duplicate of CB-1564
> Whitelisting not enforced in unsigned Android app
> -------------------------------------------------
>                 Key: CB-1572
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>    Affects Versions: 2.1.0
>         Environment: Android 2.3 and 4.1
>            Reporter: Antony Lees
>            Assignee: Joe Bowser
>            Priority: Minor
>             Fix For: 2.2.0
> The config.xml allows non-whitelisted URLs to be accessed before the app is signed. 
So, for example, if I whitelist only localhost
>  <access origin="*"/> <!-- allow local pages -->
> but then attempt to open a iframe with, the iframe will be displayed
from an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin
> As soon as the .apk is exported and signed, the whitelist is enforced and the iframe
will not display as expected
> Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT
signed.  As soon as I export it in Eclipse, which signs it, the whitelist is enforced
> This makes debugging difficult as the only way to check the whitelist is to export the
app and install the signed .apk

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message