incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon MacDonald (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CB-1572) Whitelisting not enforced in unsigned Android app
Date Tue, 02 Oct 2012 15:03:07 GMT

     [ https://issues.apache.org/jira/browse/CB-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Simon MacDonald resolved CB-1572.
---------------------------------

       Resolution: Duplicate
    Fix Version/s: 2.2.0

I believe this is a duplicate of CB-1564
                
> Whitelisting not enforced in unsigned Android app
> -------------------------------------------------
>
>                 Key: CB-1572
>                 URL: https://issues.apache.org/jira/browse/CB-1572
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>    Affects Versions: 2.1.0
>         Environment: Android 2.3 and 4.1
>            Reporter: Antony Lees
>            Assignee: Joe Bowser
>            Priority: Minor
>             Fix For: 2.2.0
>
>
> The config.xml allows non-whitelisted URLs to be accessed before the app is signed. 
So, for example, if I whitelist only localhost
>  <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> but then attempt to open a iframe with http://google.com, the iframe will be displayed
from an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin
directory)
> As soon as the .apk is exported and signed, the whitelist is enforced and the iframe
will not display as expected
> Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT
signed.  As soon as I export it in Eclipse, which signs it, the whitelist is enforced
> This makes debugging difficult as the only way to check the whitelist is to export the
app and install the signed .apk

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message