cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: Android InAppBrowser with local file blocks XHR on Android 4.1
Date Thu, 29 Aug 2013 14:14:24 GMT
How about enabling the setting when the IAB is opened with a file:/// URL?
I think the security concern would come when it's opened with a malicious
http:/// URL that then navigated to a file:/// URL.


On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <marcus.pridham@sap.com>wrote:

> Fair enough.  How about adding the following option on Android?
>
> allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running in
> the context of a file scheme to be allowed to access content from any
> origin.
>
> Eg.
> window.open('iab.html', '_blank',
> 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
>
>
>
> On 8/27/13 10:57 AM, "Ian Clelland" <iclelland@chromium.org> wrote:
>
> >This looks like a direct port of cordova-android commit #07439ff9 to
> >InAppBrowser.
> >
> >The actual setting controls whether file:///* urls are allowed to execute
> >JavaScript from any context; it is usually false for browsers (at least
> >Chrome) for security reasons. We turn it on for the main Cordova WebView,
> >since (presumably) the developer has full control over what URLs can be
> >loaded into that space. InAppBrowser is meant to be more like a regular
> >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that
> >up.
> >
> >There is probably a good case to be made for allowing this -- certainly
> >not
> >as the default setting, but as an option that the app can set in specific
> >cases when it knows that the IAB is only going to be used for local
> >content, and won't be executing arbitrary scripts.
> >
> >Ian
> >
> >
> >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <shazron@gmail.com> wrote:
> >
> >> I'll let the Android devs comment on this more - seems like an easy
> >>patch
> >> but the question is more of a policy thing, whether we want it in there
> >>at
> >> all. If anything, it would be an InAppBrowser option.
> >>
> >>
> >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra.sethi@sap.com> wrote:
> >>
> >> > Hi All,
> >> >
> >> > We ran into this issue with the InAppBrowser with local URLs, happens
> >>on
> >> > JellyBean only.
> >> >
> >> >
> >> > https://issues.apache.org/jira/browse/CB-4083
> >> >
> >> >
> >> > The fix is suggested in the comments if @Shazron or others can take a
> >> > look.
> >> >
> >> >
> >> > So far we have been patching it on our side and would like customers
> >>to
> >> > use the default Cordova plugin.
> >> >
> >> > Thanks
> >> >
> >> > Raman
> >> >
> >> >
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message