Looking at docs.cordova.io, I'm thinking it might make sense to change "Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a section to it about the dangers of embedding untrusted content. SG? I'll create a JIRA issue for it.
On Tue, Jan 8, 2013 at 11:49 AM, Joe Bowser <[email protected]> wrote: > Agreed! We should just discourage web developers from using iFrames > whenever we can. They don't even work properly on ICS. > > On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <[email protected]> wrote: > > Docs would be the only way we can completely mitigate this. It should > > be understood that 3rd party scripts are a bad idea by web developers. > > > > On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <[email protected]> > wrote: > >> Hi Denis, > >> > >> I think you bring up a good point. It's probably not a good idea to put > >> untrusted content into an iframe within a Cordova app, for the reason > you > >> explained. > >> > >> Definitely a good first step would be to document this fact. If we can > come > >> up with a fix, that would be even better :) > >> > >> > >> On Mon, Jan 7, 2013 at 4:17 AM, <[email protected]> wrote: > >> > >>> Hi all, > >>> > >>> > >>> > >>> I would like to know your opinion about iframe support in Cordova > >>> especially on Android. I think the support of iframe can cause security > >>> issues for two reasons: > >>> > >>> - White list mechanism settled by Cordova becomes ineffective > >>> because navigation is made into iframe so the webview does not control > >>> the current url loaded inside the iframe > >>> > >>> - Native APIs are not only exposed to the page loaded in the > >>> webview, even the iframes can access to native APIs which breaks the > >>> same origin policy implemented in browsers > >>> > >>> > >>> > >>> That basically means some attackers can interact with native code in a > >>> unintented ways. This problem is not specific to Cordova, it is a > >>> general problem of addJavascriptInterface method of webview. > >>> > >>> It is even explained in the webview's javadoc > >>> > http://developer.android.com/reference/android/webkit/WebView.html#addJa > >>> vascriptInterface%28java.lang.Object,%20java.lang.String%29. > >>> > >>> The usage of iframe just makes it more obvious. > >>> > >>> > >>> > >>> So, I want to know your opinion about all of this: > >>> > >>> - Have you tried to figure out a way to improve security about > >>> this (maybe by sharing a secret between the webview and native code to > >>> prevent unknown source to access native code)? > >>> > >>> - Do you think this point should be outlined in Cordova > >>> documentation? > >>> > >>> > >>> > >>> Thx > >>> > >>> > >>> > >>> Denis > >>> > >>> > >>> > >>> >
