cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: Iframe security
Date Tue, 08 Jan 2013 19:56:17 GMT
Looking at docs.cordova.io, I'm thinking it might make sense to change
"Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a
section to it about the dangers of embedding untrusted content. SG? I'll
create a JIRA issue for it.


On Tue, Jan 8, 2013 at 11:49 AM, Joe Bowser <bowserj@gmail.com> wrote:

> Agreed! We should just discourage web developers from using iFrames
> whenever we can.  They don't even work properly on ICS.
>
> On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <b@brian.io> wrote:
> > Docs would be the only way we can completely mitigate this. It should
> > be understood that 3rd party scripts are a bad idea by web developers.
> >
> > On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <agrieve@chromium.org>
> wrote:
> >> Hi Denis,
> >>
> >> I think you bring up a good point. It's probably not a good idea to put
> >> untrusted content into an iframe within a Cordova app, for the reason
> you
> >> explained.
> >>
> >> Definitely a good first step would be to document this fact. If we can
> come
> >> up with a fix, that would be even better :)
> >>
> >>
> >> On Mon, Jan 7, 2013 at 4:17 AM, <denis.vergnes@orange.com> wrote:
> >>
> >>> Hi all,
> >>>
> >>>
> >>>
> >>> I would like to know your opinion about iframe support in Cordova
> >>> especially on Android. I think the support of iframe can cause security
> >>> issues for two reasons:
> >>>
> >>> -        White list mechanism settled by Cordova becomes ineffective
> >>> because navigation is made into iframe so the webview does not control
> >>> the current url loaded inside the iframe
> >>>
> >>> -        Native APIs are not only exposed to the page loaded in the
> >>> webview, even the iframes can access to native APIs which breaks the
> >>> same origin policy implemented in browsers
> >>>
> >>>
> >>>
> >>> That basically means some attackers can interact with native code in a
> >>> unintented ways. This problem is not specific to Cordova, it is a
> >>> general problem of addJavascriptInterface method of webview.
> >>>
> >>> It is even explained in the webview's javadoc
> >>>
> http://developer.android.com/reference/android/webkit/WebView.html#addJa
> >>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
> >>>
> >>> The usage of iframe just makes it more obvious.
> >>>
> >>>
> >>>
> >>> So, I want to know your opinion about all of this:
> >>>
> >>> -        Have you tried to figure out a way to improve security about
> >>> this (maybe by sharing a secret between the webview and native code to
> >>> prevent unknown source to access native code)?
> >>>
> >>> -        Do you think this point should be outlined in Cordova
> >>> documentation?
> >>>
> >>>
> >>>
> >>> Thx
> >>>
> >>>
> >>>
> >>> Denis
> >>>
> >>>
> >>>
> >>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message