On Fri, Jan 31, 2014 at 4:34 PM, Martin Georgiev <[email protected]>wrote:
> On Fri, Jan 31, 2014 at 3:27 PM, Andrew Grieve <[email protected]> > wrote: > > Why is loadUrl insecure? (hopefully something less horrible than > > addJsInterface pre JB... :P) > > Think about the usecase where a benign website is framed by a > malicious one. Again, this is server side. The app developer can't > prevent it from happening. The framework developer must make sure that > all usecases are handled properly. > Ah, I hadn't considered that the main frame might be malicious. I don't see how this would happen with a Cordova app though. We strongly encourage users to use file:/// URLs for their app. For those that use HTTP, that's insecure anyways and would be whitelisted by this scheme. If you use HTTPS, then you should be fine, no?
