cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: Change to iOS whitelist behavior?
Date Fri, 01 Feb 2013 21:00:23 GMT
No this is totally restricted to playing audio and the plugin. I suppose if
there is a problem with Apple's media playing code, sure


On Fri, Feb 1, 2013 at 12:57 PM, Jesse <purplecabbage@gmail.com> wrote:

> it is a security break regardless, and you can do much more than play rogue
> audio.  For example send data in the url ....
>
> On Fri, Feb 1, 2013 at 12:27 PM, Shazron <shazron@gmail.com> wrote:
>
> > Seems like a harmless thing for now for us to fix and re-tag, since the
> > most this does is allow people to play rogue audio files I guess? I'll
> file
> > an issue.
> >
> >
> > On Fri, Feb 1, 2013 at 11:11 AM, Andrew Grieve <agrieve@chromium.org>
> > wrote:
> >
> > > CDVSound.m doesn't set the User-Agent, which I think means it's not
> being
> > > restricted to the white-list.
> > >
> > >
> > > On Fri, Feb 1, 2013 at 1:45 PM, Shazron <shazron@gmail.com> wrote:
> > >
> > > > Not that I am aware of. There might be something related to the
> > > user-agent
> > > > changes. Let me verify your results.
> > > >
> > > >
> > > > On Fri, Feb 1, 2013 at 9:03 AM, Becky Gibson <gibson.becky@gmail.com
> >
> > > > wrote:
> > > >
> > > > > Did I miss a change in our whitelist implementation on iOS?
> > > > >
> > > > > It used to be that I had to make sure audio.ibeat.org was in the
> > > > whitelist
> > > > > before running the mobile-spec media tests.   When testing with
> > 2.4rc2
> > > I
> > > > > noticed this is no longer the case.  My whitelist is:
> > > > >
> > > > > <access origin="http://www.google.com" />
> > > > >
> > > > >     <access origin="*.apache.org*"/>
> > > > >
> > > > >     <access origin="cordova-filetransfer.jitsu.com" />
> > > > >
> > > > >     <access origin="whatheaders.com" />
> > > > >
> > > > > Yet the media plays just fine.  I suspect this change has been in
> > there
> > > > for
> > > > > awhile.  Previously I just assumed media was working because my
> > > whitelist
> > > > > was <access origin="*" />
> > > > >
> > > > > When testing with a changed whitelist via config.xml completely
> > removed
> > > > my
> > > > > test app from the device and did a build clean before running
> again.
> > > > >
> > > > > It looks like whitelist checking doesn't even occur for the media
> > url.
> > > > >
> > > > > just curious!
> > > > >
> > > >
> > >
> >
>
>
>
> --
> @purplecabbage
> risingj.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message