Actually, looking again, there's a custom API just for SSL certs that
will provide you the cert to check: onReceivedSslError().

On Tue, Jan 14, 2014 at 12:29 AM, Tommy-Carlos Williams
<to...@devgeeks.org> wrote:
> I guess the answer for core would then lie in custom trust managers after all?
>
> Would a custom X509TrustManager even be consulted by the webView?
>
>
> On 14 Jan 2014, at 1:28 pm, Andrew Grieve <agri...@chromium.org> wrote:
>
>> Implementation notes that come to mind:
>>
>> Android:
>> I think this will actually be impossible to do on Android :(.
>> shouldInterceptRequest is the closest thing you'd need, as it's your
>> hook for overriding network requests. However, it exposes only the URL
>> that is being requests. Not the HTTP method, not any request headers,
>> not the request payload. :(. You could add it in for FileTransfer
>> though. You could also add it in using a strange different API (e.g.
>> set headers, method, payload using exec(), then use an XHR to fire the
>> request). For GET requests, it matters less since you can get the
>> Cookies for it, but still are lacking custom headers.
>>
>> iOS:
>> URLProtocol is the way to go. As long as the URL is whitelisted,
>> Cordova's won't touch it and your registered protocol will pick it up.
>> CDVProtocol should at least provide a helper method for mapping a
>> request to a UIWebView though. But I do think multiple URLProtocol
>> handlers will work fine.
>> From past experience, if you use NSURLConnection to implement all
>> UIWebView requests, then it will work just fine... except for hanging
>> gets. NSURLConnection buffers responses and so won't trickle data down
>> to you as it comes, which hanging gets require. Not a big deal...
>> unless you want to use a hanging get.
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Jan 13, 2014 at 5:13 PM, Joe Bowser <bows...@gmail.com> wrote:
>>> On Mon, Jan 13, 2014 at 2:00 PM, Tommy-Carlos Williams
>>> <to...@devgeeks.org> wrote:
>>>> Marcel,
>>>>
>>>> Well, I was hoping it would not come down to custom TrustManagers. I was 
>>>> hoping to hook into the CordovaWebViewClient’s shouldInterceptRequest().
>>>>
>>>> I realise this is in API 11+, but don’t know of another way off the top of 
>>>> my head (was hoping this thread could help, yay).
>>>>
>>>> Is the issue related to that “security hole” thread where the whitelist 
>>>> isn’t checked with ajax/xhr on API < 11 ?
>>>>
>>>
>>> Yup.  There's no such thing as shouldInterceptRequest() in
>>> Gingerbread.  I think we should just assume that anyone who owns a
>>> Gingerbread phone is already owned based on the tons of other known
>>> security flaws on that device and just move on.
>>>
>>>>
>>>>
>>>>
>>>> On 14 Jan 2014, at 8:53 am, Marcel Kinard <cmarc...@gmail.com> wrote:
>>>>
>>>>> I am curious how this would be implemented on Android. If you construct 
>>>>> an SSLSocketFactory with your private TrustManager that contains the 
>>>>> pinned cert, how do you get the Android webview to use that 
>>>>> SSLSocketFactory?
>>>>>
>>>>
>

Reply via email to