Agreed! We should just discourage web developers from using iFrames whenever we can. They don't even work properly on ICS.
On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <[email protected]> wrote: > Docs would be the only way we can completely mitigate this. It should > be understood that 3rd party scripts are a bad idea by web developers. > > On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <[email protected]> wrote: >> Hi Denis, >> >> I think you bring up a good point. It's probably not a good idea to put >> untrusted content into an iframe within a Cordova app, for the reason you >> explained. >> >> Definitely a good first step would be to document this fact. If we can come >> up with a fix, that would be even better :) >> >> >> On Mon, Jan 7, 2013 at 4:17 AM, <[email protected]> wrote: >> >>> Hi all, >>> >>> >>> >>> I would like to know your opinion about iframe support in Cordova >>> especially on Android. I think the support of iframe can cause security >>> issues for two reasons: >>> >>> - White list mechanism settled by Cordova becomes ineffective >>> because navigation is made into iframe so the webview does not control >>> the current url loaded inside the iframe >>> >>> - Native APIs are not only exposed to the page loaded in the >>> webview, even the iframes can access to native APIs which breaks the >>> same origin policy implemented in browsers >>> >>> >>> >>> That basically means some attackers can interact with native code in a >>> unintented ways. This problem is not specific to Cordova, it is a >>> general problem of addJavascriptInterface method of webview. >>> >>> It is even explained in the webview's javadoc >>> http://developer.android.com/reference/android/webkit/WebView.html#addJa >>> vascriptInterface%28java.lang.Object,%20java.lang.String%29. >>> >>> The usage of iframe just makes it more obvious. >>> >>> >>> >>> So, I want to know your opinion about all of this: >>> >>> - Have you tried to figure out a way to improve security about >>> this (maybe by sharing a secret between the webview and native code to >>> prevent unknown source to access native code)? >>> >>> - Do you think this point should be outlined in Cordova >>> documentation? >>> >>> >>> >>> Thx >>> >>> >>> >>> Denis >>> >>> >>> >>>
