EtienneLem opened a new issue #1064: URL: https://github.com/apache/cordova-android/issues/1064
Quoting the [Iframes and the Callback Id Mechanism](https://cordova.apache.org/docs/en/latest/guide/appdev/security/index.html#iframes-and-the-callback-id-mechanism) section of the Security Guide > If content is served in an iframe from a whitelisted domain, **that domain will have access to the native Cordova bridge**. This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions. Because of this, you should generally not use iframes unless you control the server that hosts the iframe content. Also note that there are third party plugins available to support advertising networks. Note that this statement is not true for iOS, which intercepts everything including iframe connections. We are in a situation where we have iframes that can serve content from a third party source not controlled by us (integrations/plugins in our app). Our own app data is secured, the only way to communicate with our app is via [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage). We even have 2 levels of iframe — it’s an iframe inside an iframe — where the first level is controlled by us (for CSP reasons). When inspecting from the uncontrolled iframe, you can indeed have access to the [`_cordovaNative`](https://github.com/apache/cordova-android/blob/80b7a7f6acb43dfc2dfd4fd87261052496f37756/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L235-L238) object which has the `exec` method. As you can see from the [method signature](https://github.com/apache/cordova-android/blob/master/cordova-js-src/android/promptbasednativeapi.js), it expects a `bridgeSecret` as the first parameter. Said secret seems to be generated from the native side and any attempt at using the method with the wrong secret will completely disable the bridge. My question is: Since the secret isn’t exposed to JavaScript and it’s a different one for everyone and change every time you reload the app, how can this bridge exposure be exploited? I’d be also curious to know how plugins can still use `cordova.exec` without the bridge secret. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
