cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Treggiari, Leo" <>
Subject RE: [iOS] proposed major whitelist change
Date Mon, 20 Jul 2015 22:36:50 GMT
I'm not certain that this makes sense, but anyway...  

If a user is using CSP can we tell them to specify a single '*' entry for the network request
whitelist (a.k.a. <access> tags)?
If they are not using CSP,  in spite of our recommendation, do the <access> tags provide
an alternative, though inferior solution?

And, is this different for the Android platform which already supports the new whitelist plugin?

-----Original Message-----
From: Shazron [] 
Sent: Monday, July 20, 2015 3:24 PM
Subject: [iOS] proposed major whitelist change

Previously, the initial implementation for the plugin for iOS didn't
support the <access> tag, but that proved problematic since not supporting
it meant all *native* code network connections were effectively blacklisted.

I added the support back in, but this will end up confusing the user even
more. Right now we are recommending that the user support CSP, but that
only works in the context of the WebView (whether UIWebView or WKWebView) -
ie xhr, images, etc.

If the user specified a CSP src for access to a domain in their .html, but
did not specify an <access> tag for that domain, the connection will fail
(since the native code whitelist filters all network connections). So this
in effect doubles the number of declarations needed -- a CSP policy needs
to have its mirror in the <access> tag. You can see where this can get

We could have a dynamic CSP parser in native code to dynamically "generate"
access tags but that will add on more complexity (but this would be best

I propose that we get rid of the native code whitelist (effectively
allowing all connections)  and rely on CSP only. I'm not sure that having a
native code whitelist can really be truly secure, with the dynamic nature
of Objective-C this is just a fa├žade anyway.

In any case, native code whitelisting will only work on UIWebView, there is
no way our current whitelisting system will work on WKWebView at all --
more fodder for us to abandon our whitelisting system.

The whitelisting should really be handled lower level by the system, and
indeed this is coming in iOS 9 with Application Transport Security (ATS):

The ATS whitelisting is through new tags in Info.plist, and we will have to
map our existing whitelist tags to ATS when the time comes.
View raw message