cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Bond-Caron <jbo...@gdesolutions.com>
Subject RE: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 19:18:45 GMT
> > https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascript
> > interface-remote-code-execution/
> >
> > > I don't know enough about the reasons for the different bridges to
> > > know whether this is a good idea or not.
> > >
> >
> > This is why we can't have nice things!
> >
> 
> Ouch... that's a good reason to disable that bridge completely for APIs < 17; never
> mind whether noFrak is enabled or not. If it's likely that addJavascriptInterface
> has other holes like this, then we should talk about removing it entirely.
> 

Seems harsh to disable that bridge completely: "The following JavaScript, *if injected into
a WebView*"

This is nothing new, third party <script> tags or content are always a security concern.

Making a "safer" bridge the default seems best, it still does mean the bridge is free from
third -party injection attacks.

Mime
View raw message