cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: Android: Deprecate WebView.sendJavascript()?
Date Tue, 27 May 2014 01:37:43 GMT
On Mon, May 26, 2014 at 2:04 PM, Joe Bowser <bowserj@gmail.com> wrote:

> On Mon, May 26, 2014 at 9:59 AM, Andrew Grieve <agrieve@chromium.org>
> wrote:
> > From: https://issues.apache.org/jira/browse/CB-6746
> >
> > Given that you can implement sendJavascript via PluginResults by just
> > eval()ing the results, maybe we could just deprecate the function?
>
> And this comment just earned this proposal a -1.
>
> Just eval()ing the results is a completely awful idea because it
> assumes that we can trust the data being returned from the plugin,
> which security researchers have shown many, many times that you can't.
>  That reason alone makes me want to keep this, although it's also bad
> in it's current form.
>

Did you mean Michal's suggestion a -1? Or mine?
To be clear - the sendJavascript function is currently implemented exactly
like this. We pass data safely through the bridge as a string, and then
eval() it. This security concern is what I meant by my point #2. If we
deprecate the call with a comment saying why, then we raise awareness about
why it's a bad idea.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message