Docs would be the only way we can completely mitigate this. It should be understood that 3rd party scripts are a bad idea by web developers.
On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <[email protected]> wrote: > Hi Denis, > > I think you bring up a good point. It's probably not a good idea to put > untrusted content into an iframe within a Cordova app, for the reason you > explained. > > Definitely a good first step would be to document this fact. If we can come > up with a fix, that would be even better :) > > > On Mon, Jan 7, 2013 at 4:17 AM, <[email protected]> wrote: > >> Hi all, >> >> >> >> I would like to know your opinion about iframe support in Cordova >> especially on Android. I think the support of iframe can cause security >> issues for two reasons: >> >> - White list mechanism settled by Cordova becomes ineffective >> because navigation is made into iframe so the webview does not control >> the current url loaded inside the iframe >> >> - Native APIs are not only exposed to the page loaded in the >> webview, even the iframes can access to native APIs which breaks the >> same origin policy implemented in browsers >> >> >> >> That basically means some attackers can interact with native code in a >> unintented ways. This problem is not specific to Cordova, it is a >> general problem of addJavascriptInterface method of webview. >> >> It is even explained in the webview's javadoc >> http://developer.android.com/reference/android/webkit/WebView.html#addJa >> vascriptInterface%28java.lang.Object,%20java.lang.String%29. >> >> The usage of iframe just makes it more obvious. >> >> >> >> So, I want to know your opinion about all of this: >> >> - Have you tried to figure out a way to improve security about >> this (maybe by sharing a secret between the webview and native code to >> prevent unknown source to access native code)? >> >> - Do you think this point should be outlined in Cordova >> documentation? >> >> >> >> Thx >> >> >> >> Denis >> >> >> >>
