Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2FFBF101E0 for ; Fri, 31 Jan 2014 19:02:41 +0000 (UTC) Received: (qmail 54909 invoked by uid 500); 31 Jan 2014 19:02:40 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 54852 invoked by uid 500); 31 Jan 2014 19:02:40 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 54844 invoked by uid 99); 31 Jan 2014 19:02:40 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 19:02:40 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of agrieve@google.com designates 209.85.220.48 as permitted sender) Received: from [209.85.220.48] (HELO mail-pa0-f48.google.com) (209.85.220.48) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 19:02:36 +0000 Received: by mail-pa0-f48.google.com with SMTP id kx10so4745940pab.21 for ; Fri, 31 Jan 2014 11:02:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=LAPNWYOz1kgFAM7HBHkQdpqw4n6ymVLzNV6ruXf739w=; b=EoZ1SjE34wjDCAePbsW+7N8easPOR3Q5+Y5yHdYxYT3nVft5R2j98motvhQF1Oom9D dWZdgE2ZV6yfx3DxtkCzofF1RiVPKqDhmokfRBZhvO+N/zs/P4GKfnjnFSjQUDi/rhpg 3euXbMYM/NrHqg2o4gtNC+XpPOBl8jjJPd/EGxAkma5L3NJY2nmuCppG0MosgPF+I3Yr xosfCoitq0oBsk/cE+P+rDD0SVCYNNKcjhfYMSpg6rD079gLJNrf+V+1RFEUibYTjcpn JLvqL6J9lqZvLWg1HVgy/KAg7FBLIR3VfgvPKbG9tx9KDmPHg2AR5QS7fmevIkJJvK14 9bWw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=LAPNWYOz1kgFAM7HBHkQdpqw4n6ymVLzNV6ruXf739w=; b=TqwblLLtSk2MXR1QHuHCFMId4f/2+kXODibEgD3gBO5TIcxCjREjLll0A0Yv5pr1Mw eQB30YLgBVmG5v9Hw9MPgQuHks9ff+ZIzwA5AR+2LUCtklv3Rhh5V8V+21gr0dtbTYCn usArOxH2ea2tdfUmtFak0/etUp9LGqX0MJ5Pw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=LAPNWYOz1kgFAM7HBHkQdpqw4n6ymVLzNV6ruXf739w=; b=hPkV3Gk/c86vvT/ttgj3K9uNFiCNPd7olXn4KTcm2O+Tl1lw5sVdd5iBPy8moEuGpW 7mc235RXvJWEjxT+qoG1x4jf2fznCQvxqTEii5V28O9mlwU9TouTy29c/MbyOn/+bLYw 2/XERyuMn0bJfhPlEzjFustFa8SPYmvmRg2tHLH2Nnu+X9mxmajgQBA01JrBpo3qbfOd i9vkgyj49CzB56aoJMqm01JdGX8X3Og6Q6YiqG8QED6FjwUf8Z1zGLE3NAbreQvTdWgz ENUq+uwN84kKZrS/fa12ZcVpUYD25gEJtfxOFsjTbLUCkoGUIKDK9eBMUmjM15M1r+R8 Kwlg== X-Gm-Message-State: ALoCoQnuACUta6eIqtQKgsD/WlSYTBKg+L+YkPG9lXZnq4iqBwCXwTvnAaGr9Y1CIbMSB5BKQADvruPJxdGC55tWp9JR+CHklKaDnlPfVZlxT7XMVmwtPE7KRHn9hrmVkpIqIScRClXFhqvTPba1WE4VzWlDkGWi8mgd/cBiblsTqnBsowmsAsEaa3Ki4cx2XGXAEIwMTZw3bbFf23vk8qJ/EduhW0u7OQ== X-Received: by 10.68.76.68 with SMTP id i4mr22240192pbw.73.1391194935475; Fri, 31 Jan 2014 11:02:15 -0800 (PST) MIME-Version: 1.0 Sender: agrieve@google.com Received: by 10.68.130.198 with HTTP; Fri, 31 Jan 2014 11:01:55 -0800 (PST) In-Reply-To: References: From: Andrew Grieve Date: Fri, 31 Jan 2014 14:01:55 -0500 X-Google-Sender-Auth: TmMiGzEwFht1zPOgnXIXWnO-bnc Message-ID: Subject: Re: [Android] SecureToken/NoFrak feature addition To: dev , "bowserj@apache.org" Cc: mail@nazgul.nu Content-Type: multipart/alternative; boundary=e89a8f923df2f1672404f148cf48 X-Virus-Checked: Checked by ClamAV on apache.org --e89a8f923df2f1672404f148cf48 Content-Type: text/plain; charset=UTF-8 On Fri, Jan 31, 2014 at 1:32 PM, Joe Bowser wrote: > On Fri, Jan 31, 2014 at 8:57 AM, Bas Bosman wrote: > > > > LocalStorage leverages the browser's same origin policy to ensure that > > content from other origins cannot read the token and thus cannot access > > the bridge. If we use vanilla JS there is nothing stopping the malicious > > code from reading the random # itself before calling the bridge. > > > > We're not using Vanilla JS. Tokens have to be added for all > whitelisted domains natively. This is done to solve the whole Chicken > and the Egg problem that we have with our config.xml. The value > should exist when the browser gets access to the storage, and it has > to match what it is natively, which I believed is stored in memory, so > even if the value was added in Vanilla JS, it would be caught and set > as invalid. I haven't tested that. > localstorage would allow iframes on different domains than the top one to use the bridge. I don't think that's very compelling. iframes can use postMessage() to talk to the main frame, which in turn can call exec. If you really wanted to, you could provide the token to the iframe via postMessage. Localstorage seems like overkill to me still though. I don't think there's a chicken and egg problem: State 0 - Native has no token, JS has no token State 1 - JS in main frame include cordova.js State 2 - JS in main frame generates a token, and provides it to native State 3 - Native, not already having a token, accepts it and saves it. Now both JS and native have the same token in memory without needing to go through localstorage. --e89a8f923df2f1672404f148cf48--