cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CB-5988) Allow the Android exec() to be used only by <content>'s domain
Date Fri, 04 Jul 2014 02:07:34 GMT


ASF subversion and git services commented on CB-5988:

Commit aab47bd4532bfe8707d745638eb5695ac543c681 in cordova-android's branch refs/heads/master
from [~agrieve]
[;h=aab47bd ]

CB-5988 Allow exec() only from file: or start-up URL's domain

Uses prompt() to validate the origin of the calling JS.
This change also simplifies the start-up logic by explicitly disabling
the bridge during page transitions and explictly enabling it when the
JS asks for the bridgeSecret.

We now wait to fire onNativeReady in JS until the bridge is initialized.
It is therefore safe to delete the queue-clear/new exec race condition
code that was in PluginManager.

> Allow the Android exec() to be used only by <content>'s domain
> --------------------------------------------------------------
>                 Key: CB-5988
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Andrew Grieve
>            Assignee: Andrew Grieve
> Discussion:
> Add a random number to exec() to increase its security.
> Use the domain of the <content> tag as the only one the native side will provide
a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide
a token if the domain doesn't match that of content (with file:/// always being allowed).

This message was sent by Atlassian JIRA

View raw message