cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Ignoring SSL Errors for InAppBrowser
Date Tue, 23 Jul 2013 19:26:21 GMT
https://issues.apache.org/jira/browse/CB-3576

There are pulls request for adding to iOS & Android that add:

window.open(url, '_blank', 'location=yes,validatessl=no');


Given that this is security-related though, I wanted to get more eyes on
it. Other proposals are to have each questionable cert go through a JS
callback:

var iab = window.open(...);
iab.onSSLError = function(url) {
   return !!/^https://myalloweddomain.com\//.exec(url);
};

Or to add a white-list to your config.xml for allowed self-signed https:
addresses.

If your app is not going to validate ssl certs, then perhaps restricting
the scope of it isn't really increasing security anyways. It's certainly
useful for development to be able to turn it off, but maybe for that reason
we should turn it off globally with a <preference> tag?

Thoughts? Willingness from other platforms?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message