cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian Clelland (JIRA)" <j...@apache.org>
Subject [jira] [Reopened] (CB-7758) Support for content:// URIs
Date Tue, 04 Nov 2014 18:32:36 GMT

     [ https://issues.apache.org/jira/browse/CB-7758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ian Clelland reopened CB-7758:
------------------------------
      Assignee: Ian Clelland

Thinking some more about this, I think that we may have to change the way we're doing it.
This solution opens up a potential security hole, where an app could be targeted specifically
by malware which creates a content provider with the same root package name as the app, and
is therefore granted access to the bridge.

On the 4.x branch, I've merged the bridge access logic with the navigation logic (if you can
navigate the webview to a page, then the page should have access to the bridge). I think we
should do something similar here, and check the config whitelist before granting access.

It would mean that you have to grant access to the content urls in config.xml:

{code}
<access src="content://com.ionicframework.ionicapp.jsHybugger/*" />
<access src="content://com.ionicframework.ionicapp.myProvider/*" />
{code}

but you probably need that anyway to support using those pages within an app.

Would that work for you?

> Support for content:// URIs
> ---------------------------
>
>                 Key: CB-7758
>                 URL: https://issues.apache.org/jira/browse/CB-7758
>             Project: Apache Cordova
>          Issue Type: New Feature
>          Components: Android
>    Affects Versions: 3.6.0
>         Environment: Android 4.3
>            Reporter: Wolfgang Flohr-Hochbichler
>            Assignee: Ian Clelland
>            Priority: Minor
>
> Device ready event is not fired if page is loaded via content:// protocol. 
> I assume it has something to do with a security check done within CordovaBridge.java
which triggers the following gap_init error message.
> 10-09 10:10:18.071 16719 16719 E CordovaBridge: gap_init called from restricted origin:
content://com.ionicframework.ionicapp795549.jsHybugger/file:///android_asset/www/index.html#/tab/dash
> 10-09 10:10:23.075 16719 16719 D CordovaLog: content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js:
Line 112 : deviceready has not fired after 5 seconds.
> 10-09 10:10:23.075 16719 16719 I Web Console: deviceready has not fired after 5 seconds.
at content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js:112



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message