cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 22:46:10 GMT
OK, in the interest of moving things along, I think we agreed to the following:

1. Adding a SecureToken is a good idea and we should implement this somehow
2. We should stop supporting the 2.9.x branch of Cordova like we said we would
3. We should disable addJavascriptInterface for any level below API level 17

I'd like to preserve our old behaviour of blocking anything not
explicitly whitelisted, and have the ability to turn on mixed content
in iFrames with a configuration setting.  How can we move forward with
this?

On Fri, Jan 31, 2014 at 1:45 PM, Joe Bowser <bowserj@gmail.com> wrote:
> Not if your certificate is compromised.  Remember our Certificate
> Pinning discussion!
>
> On Fri, Jan 31, 2014 at 1:43 PM, Andrew Grieve <agrieve@chromium.org> wrote:
>> On Fri, Jan 31, 2014 at 4:34 PM, Martin Georgiev <mgeorgiev@utexas.edu>wrote:
>>
>>> On Fri, Jan 31, 2014 at 3:27 PM, Andrew Grieve <agrieve@chromium.org>
>>> wrote:
>>> > Why is loadUrl insecure? (hopefully something less horrible than
>>> > addJsInterface pre JB... :P)
>>>
>>> Think about the usecase where a benign website is framed by a
>>> malicious one. Again, this is server side. The app developer can't
>>> prevent it from happening. The framework developer must make sure that
>>> all usecases are handled properly.
>>>
>>
>>
>> Ah, I hadn't considered that the main frame might be malicious.
>>
>> I don't see how this would happen with a Cordova app though. We strongly
>> encourage users to use file:/// URLs for their app. For those that use
>> HTTP, that's insecure anyways and would be whitelisted by this scheme. If
>> you use HTTPS, then you should be fine, no?

Mime
View raw message