cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: Iframe security
Date Tue, 08 Jan 2013 16:49:14 GMT
Agreed! We should just discourage web developers from using iFrames
whenever we can.  They don't even work properly on ICS.

On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <b@brian.io> wrote:
> Docs would be the only way we can completely mitigate this. It should
> be understood that 3rd party scripts are a bad idea by web developers.
>
> On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <agrieve@chromium.org> wrote:
>> Hi Denis,
>>
>> I think you bring up a good point. It's probably not a good idea to put
>> untrusted content into an iframe within a Cordova app, for the reason you
>> explained.
>>
>> Definitely a good first step would be to document this fact. If we can come
>> up with a fix, that would be even better :)
>>
>>
>> On Mon, Jan 7, 2013 at 4:17 AM, <denis.vergnes@orange.com> wrote:
>>
>>> Hi all,
>>>
>>>
>>>
>>> I would like to know your opinion about iframe support in Cordova
>>> especially on Android. I think the support of iframe can cause security
>>> issues for two reasons:
>>>
>>> -        White list mechanism settled by Cordova becomes ineffective
>>> because navigation is made into iframe so the webview does not control
>>> the current url loaded inside the iframe
>>>
>>> -        Native APIs are not only exposed to the page loaded in the
>>> webview, even the iframes can access to native APIs which breaks the
>>> same origin policy implemented in browsers
>>>
>>>
>>>
>>> That basically means some attackers can interact with native code in a
>>> unintented ways. This problem is not specific to Cordova, it is a
>>> general problem of addJavascriptInterface method of webview.
>>>
>>> It is even explained in the webview's javadoc
>>> http://developer.android.com/reference/android/webkit/WebView.html#addJa
>>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>>>
>>> The usage of iframe just makes it more obvious.
>>>
>>>
>>>
>>> So, I want to know your opinion about all of this:
>>>
>>> -        Have you tried to figure out a way to improve security about
>>> this (maybe by sharing a secret between the webview and native code to
>>> prevent unknown source to access native code)?
>>>
>>> -        Do you think this point should be outlined in Cordova
>>> documentation?
>>>
>>>
>>>
>>> Thx
>>>
>>>
>>>
>>> Denis
>>>
>>>
>>>
>>>

Mime
View raw message