On Fri, Jan 31, 2014 at 1:01 PM, Andrew Grieve <[email protected]> wrote: > I don't think there's a chicken and egg problem: > State 0 - Native has no token, JS has no token > State 1 - JS in main frame include cordova.js > State 2 - JS in main frame generates a token, and provides it to native > State 3 - Native, not already having a token, accepts it and saves it. > > Now both JS and native have the same token in memory without needing to go > through localstorage.
I read the above as: State 0 - Native has no token, JS has no token State 1 - JS in iframe include a modified cordova.js State 2 - JS in iframe generates a token, and provides it to native. State 2' - Due to frame confusion in some configurations the token is visible to anyone. State 3 - Native, not already having a token, accepts it and saves it. Now both JS (both originator and attacker, any pretty much anyone who wanted it) and native have the same token in memory without needing to go through localstorage.
