cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Grieve (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CB-5988) Allow the Android exec() to be used only by <content>'s domain
Date Fri, 07 Feb 2014 15:22:20 GMT
Andrew Grieve created CB-5988:
---------------------------------

             Summary: Allow the Android exec() to be used only by <content>'s domain
                 Key: CB-5988
                 URL: https://issues.apache.org/jira/browse/CB-5988
             Project: Apache Cordova
          Issue Type: Bug
          Components: Android
            Reporter: Andrew Grieve
            Assignee: Andrew Grieve


Discussion: http://markmail.org/thread/yohym3xqomjp4a64

Add a random number to exec() to increase its security.

Use the domain of the <content> tag as the only one the native side will provide a token
to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token
if the domain doesn't match that of content (with file:/// always being allowed).



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message