cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian LeRoux...@brian.io>
Subject Re: Iframe security
Date Tue, 08 Jan 2013 16:42:50 GMT
Docs would be the only way we can completely mitigate this. It should
be understood that 3rd party scripts are a bad idea by web developers.

On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <agrieve@chromium.org> wrote:
> Hi Denis,
>
> I think you bring up a good point. It's probably not a good idea to put
> untrusted content into an iframe within a Cordova app, for the reason you
> explained.
>
> Definitely a good first step would be to document this fact. If we can come
> up with a fix, that would be even better :)
>
>
> On Mon, Jan 7, 2013 at 4:17 AM, <denis.vergnes@orange.com> wrote:
>
>> Hi all,
>>
>>
>>
>> I would like to know your opinion about iframe support in Cordova
>> especially on Android. I think the support of iframe can cause security
>> issues for two reasons:
>>
>> -        White list mechanism settled by Cordova becomes ineffective
>> because navigation is made into iframe so the webview does not control
>> the current url loaded inside the iframe
>>
>> -        Native APIs are not only exposed to the page loaded in the
>> webview, even the iframes can access to native APIs which breaks the
>> same origin policy implemented in browsers
>>
>>
>>
>> That basically means some attackers can interact with native code in a
>> unintented ways. This problem is not specific to Cordova, it is a
>> general problem of addJavascriptInterface method of webview.
>>
>> It is even explained in the webview's javadoc
>> http://developer.android.com/reference/android/webkit/WebView.html#addJa
>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>>
>> The usage of iframe just makes it more obvious.
>>
>>
>>
>> So, I want to know your opinion about all of this:
>>
>> -        Have you tried to figure out a way to improve security about
>> this (maybe by sharing a secret between the webview and native code to
>> prevent unknown source to access native code)?
>>
>> -        Do you think this point should be outlined in Cordova
>> documentation?
>>
>>
>>
>> Thx
>>
>>
>>
>> Denis
>>
>>
>>
>>

Mime
View raw message