Hi all,
I would like to know your opinion about iframe support in Cordova especially on Android. I think the support of iframe can cause security issues for two reasons: - White list mechanism settled by Cordova becomes ineffective because navigation is made into iframe so the webview does not control the current url loaded inside the iframe - Native APIs are not only exposed to the page loaded in the webview, even the iframes can access to native APIs which breaks the same origin policy implemented in browsers That basically means some attackers can interact with native code in a unintented ways. This problem is not specific to Cordova, it is a general problem of addJavascriptInterface method of webview. It is even explained in the webview's javadoc http://developer.android.com/reference/android/webkit/WebView.html#addJa vascriptInterface%28java.lang.Object,%20java.lang.String%29. The usage of iframe just makes it more obvious. So, I want to know your opinion about all of this: - Have you tried to figure out a way to improve security about this (maybe by sharing a secret between the webview and native code to prevent unknown source to access native code)? - Do you think this point should be outlined in Cordova documentation? Thx Denis
