cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 18:32:02 GMT
On Fri, Jan 31, 2014 at 8:57 AM, Bas Bosman <mail@nazgul.nu> wrote:
>
> LocalStorage leverages the browser's same origin policy to ensure that
> content from other origins cannot read the token and thus cannot access
> the bridge. If we use vanilla JS there is nothing stopping the malicious
> code from reading the random # itself before calling the bridge.
>

We're not using Vanilla JS.  Tokens have to be added for all
whitelisted domains natively.  This is done to solve the whole Chicken
and the Egg problem that we have with our config.xml.  The value
should exist when the browser gets access to the storage, and it has
to match what it is natively, which I believed is stored in memory, so
even if the value was added in Vanilla JS, it would be caught and set
as invalid.  I haven't tested that.

Mime
View raw message