incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antony Lees (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CB-1572) Whitelisting not enforced in unsigned Android app
Date Tue, 02 Oct 2012 15:01:07 GMT
Antony Lees created CB-1572:
-------------------------------

             Summary: Whitelisting not enforced in unsigned Android app
                 Key: CB-1572
                 URL: https://issues.apache.org/jira/browse/CB-1572
             Project: Apache Cordova
          Issue Type: Bug
          Components: Android
    Affects Versions: 2.1.0
         Environment: Android 2.3 and 4.1
            Reporter: Antony Lees
            Assignee: Joe Bowser
            Priority: Minor


The config.xml allows non-whitelisted URLs to be accessed before the app is signed.  So, for
example, if I whitelist only localhost

 <access origin="http://127.0.0.1*"/> <!-- allow local pages -->

but then attempt to open a iframe with http://google.com, the iframe will be displayed from
an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin directory)

As soon as the .apk is exported and signed, the whitelist is enforced and the iframe will
not display as expected

Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT signed.
 As soon as I export it in Eclipse, which signs it, the whitelist is enforced

This makes debugging difficult as the only way to check the whitelist is to export the app
and install the signed .apk



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message