cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 21:43:15 GMT
On Fri, Jan 31, 2014 at 4:34 PM, Martin Georgiev <mgeorgiev@utexas.edu>wrote:

> On Fri, Jan 31, 2014 at 3:27 PM, Andrew Grieve <agrieve@chromium.org>
> wrote:
> > Why is loadUrl insecure? (hopefully something less horrible than
> > addJsInterface pre JB... :P)
>
> Think about the usecase where a benign website is framed by a
> malicious one. Again, this is server side. The app developer can't
> prevent it from happening. The framework developer must make sure that
> all usecases are handled properly.
>


Ah, I hadn't considered that the main frame might be malicious.

I don't see how this would happen with a Cordova app though. We strongly
encourage users to use file:/// URLs for their app. For those that use
HTTP, that's insecure anyways and would be whitelisted by this scheme. If
you use HTTPS, then you should be fine, no?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message