Actually, looking again, there's a custom API just for SSL certs that will provide you the cert to check: onReceivedSslError().
On Tue, Jan 14, 2014 at 12:29 AM, Tommy-Carlos Williams <to...@devgeeks.org> wrote: > I guess the answer for core would then lie in custom trust managers after all? > > Would a custom X509TrustManager even be consulted by the webView? > > > On 14 Jan 2014, at 1:28 pm, Andrew Grieve <agri...@chromium.org> wrote: > >> Implementation notes that come to mind: >> >> Android: >> I think this will actually be impossible to do on Android :(. >> shouldInterceptRequest is the closest thing you'd need, as it's your >> hook for overriding network requests. However, it exposes only the URL >> that is being requests. Not the HTTP method, not any request headers, >> not the request payload. :(. You could add it in for FileTransfer >> though. You could also add it in using a strange different API (e.g. >> set headers, method, payload using exec(), then use an XHR to fire the >> request). For GET requests, it matters less since you can get the >> Cookies for it, but still are lacking custom headers. >> >> iOS: >> URLProtocol is the way to go. As long as the URL is whitelisted, >> Cordova's won't touch it and your registered protocol will pick it up. >> CDVProtocol should at least provide a helper method for mapping a >> request to a UIWebView though. But I do think multiple URLProtocol >> handlers will work fine. >> From past experience, if you use NSURLConnection to implement all >> UIWebView requests, then it will work just fine... except for hanging >> gets. NSURLConnection buffers responses and so won't trickle data down >> to you as it comes, which hanging gets require. Not a big deal... >> unless you want to use a hanging get. >> >> >> >> >> >> >> >> On Mon, Jan 13, 2014 at 5:13 PM, Joe Bowser <bows...@gmail.com> wrote: >>> On Mon, Jan 13, 2014 at 2:00 PM, Tommy-Carlos Williams >>> <to...@devgeeks.org> wrote: >>>> Marcel, >>>> >>>> Well, I was hoping it would not come down to custom TrustManagers. I was >>>> hoping to hook into the CordovaWebViewClient’s shouldInterceptRequest(). >>>> >>>> I realise this is in API 11+, but don’t know of another way off the top of >>>> my head (was hoping this thread could help, yay). >>>> >>>> Is the issue related to that “security hole” thread where the whitelist >>>> isn’t checked with ajax/xhr on API < 11 ? >>>> >>> >>> Yup. There's no such thing as shouldInterceptRequest() in >>> Gingerbread. I think we should just assume that anyone who owns a >>> Gingerbread phone is already owned based on the tons of other known >>> security flaws on that device and just move on. >>> >>>> >>>> >>>> >>>> On 14 Jan 2014, at 8:53 am, Marcel Kinard <cmarc...@gmail.com> wrote: >>>> >>>>> I am curious how this would be implemented on Android. If you construct >>>>> an SSLSocketFactory with your private TrustManager that contains the >>>>> pinned cert, how do you get the Android webview to use that >>>>> SSLSocketFactory? >>>>> >>>> >