cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shazron Abdullah (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-10709) Allow-navigation rule for iFrame urls on cordova-ios
Date Fri, 01 Jul 2016 19:53:11 GMT

    [ https://issues.apache.org/jira/browse/CB-10709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15359537#comment-15359537
] 

Shazron Abdullah commented on CB-10709:
---------------------------------------

Sorry I have to walk back what I said, after conferring with a colleague. My focus was also
on making this "backwards compatible" with the previous version, but the previous version
had it wrong.

iframes *should* be governed by the whitelist. Any page loaded by the iframe, if they include
cordova.js, can access your plugins, which opens up a huge hole. Therefore, in this case iOS
is doing the correct thing while Android is not.

So now what we really need is <allow-navigation> for iframes only. I'm not sure if its
possible on Android but on cordova-ios, it is possible if we add another attribute for example,
cleverly called "iframe", and the allow-navigation directive would only apply to iframes.
This is of course still dependent on cordova-ios being able to detect iframes reliably.

{code}
<allow-navigation href="http://youtube.com" iframe="true" />
{code}

> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>
>                 Key: CB-10709
>                 URL: https://issues.apache.org/jira/browse/CB-10709
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 6.0.0
>            Reporter: Harsha Kiran
>            Assignee: Shazron Abdullah
>              Labels: cordova-ios-4.1.1, triaged
>
> Currently with Whitelist plugin set to <allow-navigation="*://domain.com/*"> doesn't
allow navigation to other domains including urls embedded using iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule  <allow-navigation="*://domain.com/*">,
it doesn't allow loading of the video in iframe as youtube.com is not listed in allowed domains.
> If we add <allow-navigation="*://youtube.com/*"> it allows the loading of iframe
but will also allow navigation to youtube.com using Javascript i.e window.open('http://youtube.com').

> With current implementation in cordova-ios, I'm not sure if there is any solution to
allow a domain navigation in iframe and not allow navigation to that domain using other methods
like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS should be modified
to behave the same?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message