Return-Path: X-Original-To: apmail-cordova-issues-archive@minotaur.apache.org Delivered-To: apmail-cordova-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 647E11751A for ; Tue, 4 Nov 2014 18:32:37 +0000 (UTC) Received: (qmail 70541 invoked by uid 500); 4 Nov 2014 18:32:37 -0000 Delivered-To: apmail-cordova-issues-archive@cordova.apache.org Received: (qmail 70525 invoked by uid 500); 4 Nov 2014 18:32:37 -0000 Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@cordova.apache.org Received: (qmail 70499 invoked by uid 99); 4 Nov 2014 18:32:36 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Nov 2014 18:32:36 +0000 Date: Tue, 4 Nov 2014 18:32:36 +0000 (UTC) From: "Ian Clelland (JIRA)" To: issues@cordova.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Reopened] (CB-7758) Support for content:// URIs MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CB-7758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ian Clelland reopened CB-7758: ------------------------------ Assignee: Ian Clelland Thinking some more about this, I think that we may have to change the way we're doing it. This solution opens up a potential security hole, where an app could be targeted specifically by malware which creates a content provider with the same root package name as the app, and is therefore granted access to the bridge. On the 4.x branch, I've merged the bridge access logic with the navigation logic (if you can navigate the webview to a page, then the page should have access to the bridge). I think we should do something similar here, and check the config whitelist before granting access. It would mean that you have to grant access to the content urls in config.xml: {code} {code} but you probably need that anyway to support using those pages within an app. Would that work for you? > Support for content:// URIs > --------------------------- > > Key: CB-7758 > URL: https://issues.apache.org/jira/browse/CB-7758 > Project: Apache Cordova > Issue Type: New Feature > Components: Android > Affects Versions: 3.6.0 > Environment: Android 4.3 > Reporter: Wolfgang Flohr-Hochbichler > Assignee: Ian Clelland > Priority: Minor > > Device ready event is not fired if page is loaded via content:// protocol. > I assume it has something to do with a security check done within CordovaBridge.java which triggers the following gap_init error message. > 10-09 10:10:18.071 16719 16719 E CordovaBridge: gap_init called from restricted origin: content://com.ionicframework.ionicapp795549.jsHybugger/file:///android_asset/www/index.html#/tab/dash > 10-09 10:10:23.075 16719 16719 D CordovaLog: content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js: Line 112 : deviceready has not fired after 5 seconds. > 10-09 10:10:23.075 16719 16719 I Web Console: deviceready has not fired after 5 seconds. at content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js:112 -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org For additional commands, e-mail: issues-help@cordova.apache.org