cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shazron Abdullah (JIRA)" <>
Subject [jira] [Commented] (CB-10709) Allow-navigation rule for iFrame urls on cordova-ios
Date Fri, 01 Jul 2016 19:53:11 GMT


Shazron Abdullah commented on CB-10709:

Sorry I have to walk back what I said, after conferring with a colleague. My focus was also
on making this "backwards compatible" with the previous version, but the previous version
had it wrong.

iframes *should* be governed by the whitelist. Any page loaded by the iframe, if they include
cordova.js, can access your plugins, which opens up a huge hole. Therefore, in this case iOS
is doing the correct thing while Android is not.

So now what we really need is <allow-navigation> for iframes only. I'm not sure if its
possible on Android but on cordova-ios, it is possible if we add another attribute for example,
cleverly called "iframe", and the allow-navigation directive would only apply to iframes.
This is of course still dependent on cordova-ios being able to detect iframes reliably.

<allow-navigation href="" iframe="true" />

> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>                 Key: CB-10709
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 6.0.0
>            Reporter: Harsha Kiran
>            Assignee: Shazron Abdullah
>              Labels: cordova-ios-4.1.1, triaged
> Currently with Whitelist plugin set to <allow-navigation="*://*"> doesn't
allow navigation to other domains including urls embedded using iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule  <allow-navigation="*://*">,
it doesn't allow loading of the video in iframe as is not listed in allowed domains.
> If we add <allow-navigation="*://*"> it allows the loading of iframe
but will also allow navigation to using Javascript i.e'').

> With current implementation in cordova-ios, I'm not sure if there is any solution to
allow a domain navigation in iframe and not allow navigation to that domain using other methods
like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS should be modified
to behave the same?

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message