cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: [Android] InAppBrowser and URI whitelisting
Date Fri, 24 Apr 2015 23:48:59 GMT
So, since we make this Category.BROWSABLE, we can safely say that this is
working as intended and close it? :P

I disagree about not restricting it to the intent whitelist, because that
sounds messed up that we wouldn't let an app, with the trusted content run
an intent, but we'd let untrusted content run one.

On Fri, Apr 24, 2015 at 4:38 PM Andrew Grieve <agrieve@chromium.org> wrote:

> The browser allows any intents, but attaches Category.BROWSABLE to the
> intents, which is supposed to make them safe.
> We don't restrict the IAB to the network whitelist, so it follows (maybe?)
> that we wouldn't restrict it to the intent whitelist.
>
> On Fri, Apr 24, 2015 at 6:06 PM, Jesse <purplecabbage@gmail.com> wrote:
>
> > What does the browser do? That's what the InAppBrowser should do ...
> >
> > It may also make sense to allow the host cordova app decide whether or
> not
> > to allow it.
> > Presumably the host app could allow all intents, but not want to extend
> > that to it's InAppBrowser control, or allow some intents for some domains
> > ... based on their own logic ...
> > Ideally, I think this should be a user problem, ie. give the app
> developer
> > a chance to intercept the request, and if they don't just perform the
> > default browser behaviour.
> >
> >
> >
> >
> >
> > @purplecabbage
> > risingj.com
> >
> > On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bowserj@gmail.com> wrote:
> >
> > > Hey
> > >
> > > I was looking at CB-8180, and I'm wondering what the correct behaviour
> > for
> > > intents being launched from URIs should be for an InAppBrowser.  Should
> > > these have free reign to open whatever, or should they also be bound by
> > the
> > > rules of the whitelist?
> > >
> > > What do people think?
> > >
> > > Joe
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message