cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: Iframe security
Date Tue, 08 Jan 2013 16:20:56 GMT
Hi Denis,

I think you bring up a good point. It's probably not a good idea to put
untrusted content into an iframe within a Cordova app, for the reason you
explained.

Definitely a good first step would be to document this fact. If we can come
up with a fix, that would be even better :)


On Mon, Jan 7, 2013 at 4:17 AM, <denis.vergnes@orange.com> wrote:

> Hi all,
>
>
>
> I would like to know your opinion about iframe support in Cordova
> especially on Android. I think the support of iframe can cause security
> issues for two reasons:
>
> -        White list mechanism settled by Cordova becomes ineffective
> because navigation is made into iframe so the webview does not control
> the current url loaded inside the iframe
>
> -        Native APIs are not only exposed to the page loaded in the
> webview, even the iframes can access to native APIs which breaks the
> same origin policy implemented in browsers
>
>
>
> That basically means some attackers can interact with native code in a
> unintented ways. This problem is not specific to Cordova, it is a
> general problem of addJavascriptInterface method of webview.
>
> It is even explained in the webview's javadoc
> http://developer.android.com/reference/android/webkit/WebView.html#addJa
> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>
> The usage of iframe just makes it more obvious.
>
>
>
> So, I want to know your opinion about all of this:
>
> -        Have you tried to figure out a way to improve security about
> this (maybe by sharing a secret between the webview and native code to
> prevent unknown source to access native code)?
>
> -        Do you think this point should be outlined in Cordova
> documentation?
>
>
>
> Thx
>
>
>
> Denis
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message