cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CB-11341) Camera access affected by frame-src
Date Wed, 01 Jun 2016 14:37:59 GMT

     [ https://issues.apache.org/jira/browse/CB-11341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Tim updated CB-11341:
---------------------
    Description: 
On iOS - when the frame-src directive is set to 'self' in the Content Security Policy meta-tag
it suppresses the alert 

<meta http-equiv="Content-Security-Policy" content="frame-src: 'self'" />

Furthermore, If the app is suspended and resumed, the enable camera alert is displayed correctly.


This could indicate a security risk, because frame-src may be bypassed.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Modify the CSP meta-tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.

Expected behavior:
The camera plugin should not be affected by the Content Security Policy. And "Cordova build
ios" should catch poorly formatted CSP meta tags.

  was:
When Content Security Policy is modified (e.g. default-src: 'none'), it breaks the camera
access alert for iOS.

If the app is suspended and resumed, the camera access alert will pop-up - and the following
warning will be reported in Xcode.

Warning: Attempt to present <CDVCameraPicker: 0x170b7600> on <MainViewController:
0x16d6f090> whose view is not in the window hierarchy!

However, if the iOS app is suspended and then resumed the camera access will display correctly;
this could indicate that the Content Security Policy can be bypassed.

How to reproduce:
1. Install camera plugin 2.2.0
> cordova plugin add cordova-plugin-camera
2. Modify the CSP meta-tag in index.html
3. Build iOS
> cordova platform add ios
4. The camera access alert won't display when the app loads
5. Suspend the camera app using the home button. Return to the app. The camera access alert
will now display.

Expected behavior:
The camera plugin should not be affected by the Content Security Policy. And "Cordova build
ios" should catch poorly formatted CSP meta tags.


> Camera access affected by frame-src
> -----------------------------------
>
>                 Key: CB-11341
>                 URL: https://issues.apache.org/jira/browse/CB-11341
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Plugin Camera
>    Affects Versions: 2.2.0
>         Environment: iOS 8.4 - iPhone 4S
>            Reporter: Tim
>            Priority: Minor
>              Labels: iOS, triaged
>
> On iOS - when the frame-src directive is set to 'self' in the Content Security Policy
meta-tag it suppresses the alert 
> <meta http-equiv="Content-Security-Policy" content="frame-src: 'self'" />
> Furthermore, If the app is suspended and resumed, the enable camera alert is displayed
correctly. 
> This could indicate a security risk, because frame-src may be bypassed.
> How to reproduce:
> 1. Install camera plugin 2.2.0
> > cordova plugin add cordova-plugin-camera
> 2. Modify the CSP meta-tag in index.html
> 3. Build iOS
> > cordova platform add ios
> 4. The camera access alert won't display when the app loads
> 5. Suspend the camera app using the home button. Return to the app. The camera access
alert will now display.
> Expected behavior:
> The camera plugin should not be affected by the Content Security Policy. And "Cordova
build ios" should catch poorly formatted CSP meta tags.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message