cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 21:45:43 GMT
Not if your certificate is compromised.  Remember our Certificate
Pinning discussion!

On Fri, Jan 31, 2014 at 1:43 PM, Andrew Grieve <agrieve@chromium.org> wrote:
> On Fri, Jan 31, 2014 at 4:34 PM, Martin Georgiev <mgeorgiev@utexas.edu>wrote:
>
>> On Fri, Jan 31, 2014 at 3:27 PM, Andrew Grieve <agrieve@chromium.org>
>> wrote:
>> > Why is loadUrl insecure? (hopefully something less horrible than
>> > addJsInterface pre JB... :P)
>>
>> Think about the usecase where a benign website is framed by a
>> malicious one. Again, this is server side. The app developer can't
>> prevent it from happening. The framework developer must make sure that
>> all usecases are handled properly.
>>
>
>
> Ah, I hadn't considered that the main frame might be malicious.
>
> I don't see how this would happen with a Cordova app though. We strongly
> encourage users to use file:/// URLs for their app. For those that use
> HTTP, that's insecure anyways and would be whitelisted by this scheme. If
> you use HTTPS, then you should be fine, no?

Mime
View raw message