cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Kemp <drk...@google.com>
Subject Re: Android InAppBrowser with local file blocks XHR on Android 4.1
Date Thu, 29 Aug 2013 14:31:13 GMT
Since I can open a file:// resource that contains http:// pages, the
restriction should not be based on what the IAB was opened with, but what
it is currently open with.

example:
open file://index.html (contains a link to http://badplace.org)
click the link (now at http://badplace.org)
reference some arbitrary file:// resource



On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <agrieve@chromium.org>wrote:

> How about enabling the setting when the IAB is opened with a file:/// URL?
> I think the security concern would come when it's opened with a malicious
> http:/// URL that then navigated to a file:/// URL.
>
>
> On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <marcus.pridham@sap.com
> >wrote:
>
> > Fair enough.  How about adding the following option on Android?
> >
> > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running
> in
> > the context of a file scheme to be allowed to access content from any
> > origin.
> >
> > Eg.
> > window.open('iab.html', '_blank',
> > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
> >
> >
> >
> > On 8/27/13 10:57 AM, "Ian Clelland" <iclelland@chromium.org> wrote:
> >
> > >This looks like a direct port of cordova-android commit #07439ff9 to
> > >InAppBrowser.
> > >
> > >The actual setting controls whether file:///* urls are allowed to
> execute
> > >JavaScript from any context; it is usually false for browsers (at least
> > >Chrome) for security reasons. We turn it on for the main Cordova
> WebView,
> > >since (presumably) the developer has full control over what URLs can be
> > >loaded into that space. InAppBrowser is meant to be more like a regular
> > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that
> > >up.
> > >
> > >There is probably a good case to be made for allowing this -- certainly
> > >not
> > >as the default setting, but as an option that the app can set in
> specific
> > >cases when it knows that the IAB is only going to be used for local
> > >content, and won't be executing arbitrary scripts.
> > >
> > >Ian
> > >
> > >
> > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <shazron@gmail.com> wrote:
> > >
> > >> I'll let the Android devs comment on this more - seems like an easy
> > >>patch
> > >> but the question is more of a policy thing, whether we want it in
> there
> > >>at
> > >> all. If anything, it would be an InAppBrowser option.
> > >>
> > >>
> > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra.sethi@sap.com>
> wrote:
> > >>
> > >> > Hi All,
> > >> >
> > >> > We ran into this issue with the InAppBrowser with local URLs,
> happens
> > >>on
> > >> > JellyBean only.
> > >> >
> > >> >
> > >> > https://issues.apache.org/jira/browse/CB-4083
> > >> >
> > >> >
> > >> > The fix is suggested in the comments if @Shazron or others can take
> a
> > >> > look.
> > >> >
> > >> >
> > >> > So far we have been patching it on our side and would like customers
> > >>to
> > >> > use the default Cordova plugin.
> > >> >
> > >> > Thanks
> > >> >
> > >> > Raman
> > >> >
> > >> >
> > >>
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message