How about enabling the setting when the IAB is opened with a file:/// URL? I think the security concern would come when it's opened with a malicious http:/// URL that then navigated to a file:/// URL.
On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <[email protected]>wrote: > Fair enough. How about adding the following option on Android? > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running in > the context of a file scheme to be allowed to access content from any > origin. > > Eg. > window.open('iab.html', '_blank', > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes'); > > > > On 8/27/13 10:57 AM, "Ian Clelland" <[email protected]> wrote: > > >This looks like a direct port of cordova-android commit #07439ff9 to > >InAppBrowser. > > > >The actual setting controls whether file:///* urls are allowed to execute > >JavaScript from any context; it is usually false for browsers (at least > >Chrome) for security reasons. We turn it on for the main Cordova WebView, > >since (presumably) the developer has full control over what URLs can be > >loaded into that space. InAppBrowser is meant to be more like a regular > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that > >up. > > > >There is probably a good case to be made for allowing this -- certainly > >not > >as the default setting, but as an option that the app can set in specific > >cases when it knows that the IAB is only going to be used for local > >content, and won't be executing arbitrary scripts. > > > >Ian > > > > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <[email protected]> wrote: > > > >> I'll let the Android devs comment on this more - seems like an easy > >>patch > >> but the question is more of a policy thing, whether we want it in there > >>at > >> all. If anything, it would be an InAppBrowser option. > >> > >> > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <[email protected]> wrote: > >> > >> > Hi All, > >> > > >> > We ran into this issue with the InAppBrowser with local URLs, happens > >>on > >> > JellyBean only. > >> > > >> > > >> > https://issues.apache.org/jira/browse/CB-4083 > >> > > >> > > >> > The fix is suggested in the comments if @Shazron or others can take a > >> > look. > >> > > >> > > >> > So far we have been patching it on our side and would like customers > >>to > >> > use the default Cordova plugin. > >> > > >> > Thanks > >> > > >> > Raman > >> > > >> > > >> > >
