cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Georgiev <mgeorg...@utexas.edu>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 21:13:40 GMT
On Fri, Jan 31, 2014 at 2:58 PM, Andrew Grieve <agrieve@chromium.org> wrote:
> Ha! Well that's pretty clear. :) I don't think having JS generate it is a
> good idea then.

It is not. You as an app developer do not control who puts where their JS.


> Still, there might be an easier way than going through persistent storage.

The reason for localStorage is cause it leverages SOP. If you find
another way to leverage SOP, that would be fine too.

> Next idea:
> How about having the Java side tell the JS side during start-up what the
> token is?
> E.g.: loadUrl(javascript:void(execToken=FOO)). JS can then get the token
> from there when they want to use exec().

Can't do that, cause loadUrl *is* insecure! Next idea please ;)

Mime
View raw message