incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Hawkins (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
Date Mon, 22 Oct 2012 05:18:12 GMT

    [ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481182#comment-13481182
] 

Kevin Hawkins commented on CB-1695:
-----------------------------------

Ah, I was mistakenly trying to piggyback on the view controller identification that's ultimately
driven by the setting of the 'vc' HTTP header in cordova.exec.  Yeah, that's not going to
work for arbitrary requests, only Cordova bridge calls.

Perhaps the solution, in my case anyway, is to push my own NSURLProtocol class on top of the
stack, and use an out-of-band identification technique to handle the non-Cordova requests.
 But I'll try to brainstorm a way that such a process could be encapsulated within Cordova,
as that would be ideal.  My first thought was around subclassing UIWebView, but Apple says,
"Don't do that."
                
> [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
> -----------------------------------------------------------------------------------------
>
>                 Key: CB-1695
>                 URL: https://issues.apache.org/jira/browse/CB-1695
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 2.2.0
>         Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895
>            Reporter: Kevin Hawkins
>            Assignee: Shazron Abdullah
>
> Registered NSURLProtocol objects respond to NSURLRequests across an application.  As
such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application,
and applies Cordova's whitelist rules accordingly to each http(s) request.
> This is an unreasonable overreach of authority, in an app where Cordova is only one component
of the app.  Consider the case where I have my own UIWebView (think ChildBrowser), and I want
to load arbitrary web content.  This web content has no access to the Cordova sandbox on the
device, and as such should not be subject to the security restrictions that limit requests
to whitelisted/trusted hosts.
> The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller
against the global CDVViewController registry, for /!gap_exec calls, should be extended to
make the same check against http(s) calls, and allow them without whitelist comparison for
requests that originate outside of any registered CDVViewController instances.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message