cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Grieve <agri...@chromium.org>
Subject Re: [Android] InAppBrowser and URI whitelisting
Date Mon, 27 Apr 2015 14:23:42 GMT
Yeah, that does sound messed up :S.

Perhaps IAB should be restricted to network & intent whitelists? With CSP,
our basic guidance is to allow full network access and restrict via CSP
anyways.

On Fri, Apr 24, 2015 at 7:48 PM, Joe Bowser <bowserj@gmail.com> wrote:

> So, since we make this Category.BROWSABLE, we can safely say that this is
> working as intended and close it? :P
>
> I disagree about not restricting it to the intent whitelist, because that
> sounds messed up that we wouldn't let an app, with the trusted content run
> an intent, but we'd let untrusted content run one.
>
> On Fri, Apr 24, 2015 at 4:38 PM Andrew Grieve <agrieve@chromium.org>
> wrote:
>
> > The browser allows any intents, but attaches Category.BROWSABLE to the
> > intents, which is supposed to make them safe.
> > We don't restrict the IAB to the network whitelist, so it follows
> (maybe?)
> > that we wouldn't restrict it to the intent whitelist.
> >
> > On Fri, Apr 24, 2015 at 6:06 PM, Jesse <purplecabbage@gmail.com> wrote:
> >
> > > What does the browser do? That's what the InAppBrowser should do ...
> > >
> > > It may also make sense to allow the host cordova app decide whether or
> > not
> > > to allow it.
> > > Presumably the host app could allow all intents, but not want to extend
> > > that to it's InAppBrowser control, or allow some intents for some
> domains
> > > ... based on their own logic ...
> > > Ideally, I think this should be a user problem, ie. give the app
> > developer
> > > a chance to intercept the request, and if they don't just perform the
> > > default browser behaviour.
> > >
> > >
> > >
> > >
> > >
> > > @purplecabbage
> > > risingj.com
> > >
> > > On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bowserj@gmail.com> wrote:
> > >
> > > > Hey
> > > >
> > > > I was looking at CB-8180, and I'm wondering what the correct
> behaviour
> > > for
> > > > intents being launched from URIs should be for an InAppBrowser.
> Should
> > > > these have free reign to open whatever, or should they also be bound
> by
> > > the
> > > > rules of the whitelist?
> > > >
> > > > What do people think?
> > > >
> > > > Joe
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message