cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse MacFadyen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-11868) inappbrowser overrides window.open and doesn't follow allow-intent and allow-navigation restrictions
Date Tue, 28 Mar 2017 23:49:41 GMT

    [ https://issues.apache.org/jira/browse/CB-11868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946234#comment-15946234
] 

Jesse MacFadyen commented on CB-11868:
--------------------------------------

The allow intent + allow navigation tags define what can be loaded by the applications root
webview.

InAppBrowser can and SHOULD be allowed to open any site on the internet, and able to do it
safely without affecting the rest of your application.  This is the entire goal of InAppBrowser.

If you would like to limit the pages that the IAB can go to, just watch for the loadstart
event, and if you don't approve just close it.

{code}
var ref = cordova.InAppBrowser.open('http://apache.org', '_blank', 'location=yes');
ref.addEventListener('loadstart', function(event) { alert(event.url); });
{code}

> inappbrowser overrides window.open and doesn't follow allow-intent and allow-navigation
restrictions
> ----------------------------------------------------------------------------------------------------
>
>                 Key: CB-11868
>                 URL: https://issues.apache.org/jira/browse/CB-11868
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Plugin InAppBrowser
>    Affects Versions: 3.5.0
>         Environment: android
>            Reporter: Mladen Petrovic
>            Priority: Critical
>              Labels: security
>
> InappBrowser doesn't follow allow-intent and allow-navigation meta tags only in Android.
> It also overrides default window.open(uri, '_self');
> So when i allow only some urls to be allowed like this:
> <allow-navigation href="http://google.com/" />
> <allow-intent href="http://google.com" />
> I can successfully open yahoo.com via window.open('yahoo.com', '_self');
> But if i remove inappBrowser plugin they it follow restriction and will only open google.com
> This happens only in Android, not in iOS.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message