Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BEC79EE99 for ; Fri, 23 Nov 2012 15:28:59 +0000 (UTC) Received: (qmail 75155 invoked by uid 500); 23 Nov 2012 15:28:59 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 75122 invoked by uid 500); 23 Nov 2012 15:28:59 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 75097 invoked by uid 500); 23 Nov 2012 15:28:58 -0000 Delivered-To: apmail-incubator-callback-dev@incubator.apache.org Received: (qmail 75081 invoked by uid 99); 23 Nov 2012 15:28:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Nov 2012 15:28:58 +0000 Date: Fri, 23 Nov 2012 15:28:58 +0000 (UTC) From: "Andrew Grieve (JIRA)" To: callback-dev@incubator.apache.org Message-ID: <1182531211.19289.1353684538477.JavaMail.jiratomcat@arcas> In-Reply-To: <1597411386.8265.1350874332730.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13503222#comment-13503222 ] Andrew Grieve commented on CB-1695: ----------------------------------- Added a check that /!gap_exec comes from a webview: https://git-wip-us.apache.org/repos/asf?p=cordova-ios.git;a=commit;h=e8a740176a465092b0d55dc9aee9a3e0ac314691 > [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests > ----------------------------------------------------------------------------------------- > > Key: CB-1695 > URL: https://issues.apache.org/jira/browse/CB-1695 > Project: Apache Cordova > Issue Type: Bug > Components: iOS > Affects Versions: 2.2.0 > Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 > Reporter: Kevin Hawkins > Assignee: Shazron Abdullah > Fix For: 2.3.0 > > > Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. > This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. > The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira