I guess the answer for core would then lie in custom trust managers after all?

Would a custom X509TrustManager even be consulted by the webView?


On 14 Jan 2014, at 1:28 pm, Andrew Grieve <agri...@chromium.org> wrote:

> Implementation notes that come to mind:
> 
> Android:
> I think this will actually be impossible to do on Android :(.
> shouldInterceptRequest is the closest thing you'd need, as it's your
> hook for overriding network requests. However, it exposes only the URL
> that is being requests. Not the HTTP method, not any request headers,
> not the request payload. :(. You could add it in for FileTransfer
> though. You could also add it in using a strange different API (e.g.
> set headers, method, payload using exec(), then use an XHR to fire the
> request). For GET requests, it matters less since you can get the
> Cookies for it, but still are lacking custom headers.
> 
> iOS:
> URLProtocol is the way to go. As long as the URL is whitelisted,
> Cordova's won't touch it and your registered protocol will pick it up.
> CDVProtocol should at least provide a helper method for mapping a
> request to a UIWebView though. But I do think multiple URLProtocol
> handlers will work fine.
> From past experience, if you use NSURLConnection to implement all
> UIWebView requests, then it will work just fine... except for hanging
> gets. NSURLConnection buffers responses and so won't trickle data down
> to you as it comes, which hanging gets require. Not a big deal...
> unless you want to use a hanging get.
> 
> 
> 
> 
> 
> 
> 
> On Mon, Jan 13, 2014 at 5:13 PM, Joe Bowser <bows...@gmail.com> wrote:
>> On Mon, Jan 13, 2014 at 2:00 PM, Tommy-Carlos Williams
>> <to...@devgeeks.org> wrote:
>>> Marcel,
>>> 
>>> Well, I was hoping it would not come down to custom TrustManagers. I was 
>>> hoping to hook into the CordovaWebViewClient’s shouldInterceptRequest().
>>> 
>>> I realise this is in API 11+, but don’t know of another way off the top of 
>>> my head (was hoping this thread could help, yay).
>>> 
>>> Is the issue related to that “security hole” thread where the whitelist 
>>> isn’t checked with ajax/xhr on API < 11 ?
>>> 
>> 
>> Yup.  There's no such thing as shouldInterceptRequest() in
>> Gingerbread.  I think we should just assume that anyone who owns a
>> Gingerbread phone is already owned based on the tons of other known
>> security flaws on that device and just move on.
>> 
>>> 
>>> 
>>> 
>>> On 14 Jan 2014, at 8:53 am, Marcel Kinard <cmarc...@gmail.com> wrote:
>>> 
>>>> I am curious how this would be implemented on Android. If you construct an 
>>>> SSLSocketFactory with your private TrustManager that contains the pinned 
>>>> cert, how do you get the Android webview to use that SSLSocketFactory?
>>>> 
>>> 

Reply via email to