breautek commented on issue #1086: URL: https://github.com/apache/cordova-ios/issues/1086#issuecomment-786651866
No. Servers must be allow list ahead of time and cannot be changed during runtime. ## Why? In the event of a malicious code execution, the allow list will prevent data from being sent to their malicious servers, assuming the allow list is configured as restrictive as possible. If the app could change the allow list during runtime, it will break this damage mitigation as the malicious actor could then simply update the allow list themselves. ## Most Ideal Scenario I obviously have no clue about your product or infrastructure, but I'll explain a workaround that, in my opinion would be the most secure way of dealing with your issue. This may or may not be possible for your project for a number of different reasons, cause I'll be making a number of assumptions. Firstly, you could just open the gates by allowing any and all servers to communicate with your app, but for reasons above this would not be recommended. The app should communicate with a single server, which is a proxy server which will then communicate with your clients server address. This shouldn't be configurable from the app itself but through a web portal. The app can then white list your proxy server, and your proxy server should only allow requests to be made on the behalf of the client to what they have configured. In this configuration, should the app be vulnerable to remote code execution, the damage mitigation haven't been defeated as the app can only communicate with the proxy server and the proxy server should only allow client to communicate with their configured server. This also has the added benefit that you can configure CORS properly and not have to worry about your clients implementing CORS wrong. Disclaimer: I'm not a security engineer. Because this isn't a bug, I'll be closing this issue. If you would like to discuss more on this subject, our [Slack](http://slack.cordova.io/) community can probably help. Cheers, Norman ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
