Hi Denis, I think you bring up a good point. It's probably not a good idea to put untrusted content into an iframe within a Cordova app, for the reason you explained.
Definitely a good first step would be to document this fact. If we can come up with a fix, that would be even better :) On Mon, Jan 7, 2013 at 4:17 AM, <[email protected]> wrote: > Hi all, > > > > I would like to know your opinion about iframe support in Cordova > especially on Android. I think the support of iframe can cause security > issues for two reasons: > > - White list mechanism settled by Cordova becomes ineffective > because navigation is made into iframe so the webview does not control > the current url loaded inside the iframe > > - Native APIs are not only exposed to the page loaded in the > webview, even the iframes can access to native APIs which breaks the > same origin policy implemented in browsers > > > > That basically means some attackers can interact with native code in a > unintented ways. This problem is not specific to Cordova, it is a > general problem of addJavascriptInterface method of webview. > > It is even explained in the webview's javadoc > http://developer.android.com/reference/android/webkit/WebView.html#addJa > vascriptInterface%28java.lang.Object,%20java.lang.String%29. > > The usage of iframe just makes it more obvious. > > > > So, I want to know your opinion about all of this: > > - Have you tried to figure out a way to improve security about > this (maybe by sharing a secret between the webview and native code to > prevent unknown source to access native code)? > > - Do you think this point should be outlined in Cordova > documentation? > > > > Thx > > > > Denis > > > >
