Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 03A0610FF7 for ; Fri, 31 Jan 2014 18:32:28 +0000 (UTC) Received: (qmail 44801 invoked by uid 500); 31 Jan 2014 18:32:27 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 44766 invoked by uid 500); 31 Jan 2014 18:32:27 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 44758 invoked by uid 99); 31 Jan 2014 18:32:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 18:32:27 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bowserj@gmail.com designates 209.85.220.173 as permitted sender) Received: from [209.85.220.173] (HELO mail-vc0-f173.google.com) (209.85.220.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Jan 2014 18:32:22 +0000 Received: by mail-vc0-f173.google.com with SMTP id ld13so3183424vcb.4 for ; Fri, 31 Jan 2014 10:32:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=bvzyV4GL63a1RXJVoBxJtxWfTXyKaX48yTkwCGqGptE=; b=ZOYJGnAl+FxvkKb++vVxSsc042iLeuc5prCYZzD8oxtZ9lWq8wgTEFyvi83zl//TGB k3X6LjqXhnOIMR3vEDRwhxvb6WjWpLn16barOe1e9IytIM2HqxYnAHVVNizPJ4cbZUYI at01iHQ+y6W8CaZUyAIoDlpDKIpCgZ1jwt4XHaiYhli1ENgrjNy1GtNUhAayr0zfucFy DnbO7USY0mZxiGlr6ohsyO7a0ivwhPYhxnfInI9lyc7iy+18QA5y9G9xi5OuHxphcmK4 zpUH1QtsLQkNZbainVC3vZm4uY/ncJjx81l1g9z4wPkVsBnUwSCKNEedEu37eflYABD6 M5/A== MIME-Version: 1.0 X-Received: by 10.52.188.41 with SMTP id fx9mr14472291vdc.19.1391193122085; Fri, 31 Jan 2014 10:32:02 -0800 (PST) Received: by 10.220.183.5 with HTTP; Fri, 31 Jan 2014 10:32:02 -0800 (PST) Reply-To: bowserj@apache.org In-Reply-To: References: Date: Fri, 31 Jan 2014 10:32:02 -0800 Message-ID: Subject: Re: [Android] SecureToken/NoFrak feature addition From: Joe Bowser To: dev , mail@nazgul.nu Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org On Fri, Jan 31, 2014 at 8:57 AM, Bas Bosman wrote: > > LocalStorage leverages the browser's same origin policy to ensure that > content from other origins cannot read the token and thus cannot access > the bridge. If we use vanilla JS there is nothing stopping the malicious > code from reading the random # itself before calling the bridge. > We're not using Vanilla JS. Tokens have to be added for all whitelisted domains natively. This is done to solve the whole Chicken and the Egg problem that we have with our config.xml. The value should exist when the browser gets access to the storage, and it has to match what it is natively, which I believed is stored in memory, so even if the value was added in Vanilla JS, it would be caught and set as invalid. I haven't tested that.