[
https://issues.apache.org/jira/browse/CB-3576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13890007#comment-13890007
]
Marcel Kinard commented on CB-3576:
-----------------------------------
BTW, if all you want is for self-signed certs to be blindly accepted in
production (not debug mode), then all you need to do is modify the handling
logic in onReceivedSslError() in the CordovaWebViewClient class by way of
direct source modification or by overriding in an extending class. Then you
don't need to wait for this interstitial to be implemented.
Note that from a security perspective, this is risky behavior because the
server's identify is not validated which makes you susceptible to
man-in-the-middle attacks.
> Add support for interstitial user confirmation of self-signed SSL certs to
> CordovaWebView and InAppBrowser
> ----------------------------------------------------------------------------------------------------------
>
> Key: CB-3576
> URL: https://issues.apache.org/jira/browse/CB-3576
> Project: Apache Cordova
> Issue Type: Improvement
> Components: Android, iOS, Plugin InAppBrowser
> Affects Versions: 2.7.0, 2.8.0
> Environment: Android and iOS
> Reporter: Montyleena
> Priority: Minor
> Labels: android, https, inappbrowser,, ios, ssl
> Attachments: InAppBrowser.java
>
>
> Local https links are blocked by default in InAppBrowser (links using a local
> SSL certificate which can't be verified by a 3rd party). Ideally, user should
> be given an option to proceed or cancel the request like the default
> desktop/mobile browsers do.
> Right now, we have to overwrite the following API in Android to access such
> URLs but onReceivedSslError() function gets called only for the main PhoneGap
> window browser and not for InAppBrowser.
> Create a new class:
> public class CustomWebViewClient extends CordovaWebViewClient {
>
> public static final String LOG_TAG = "Plugin";
>
> public CustomWebViewClient(DroidGap ctx) {
> super(ctx);
> Log.d(LOG_TAG, "Constructor!");
> }
> @Override
> public void onReceivedSslError(WebView view, SslErrorHandler handler,
> SslError error) {
> handler.proceed();
> }
> }
> In the main class, we use our custom class as a web view client
> CordovaWebViewClient webViewClient = new CustomWebViewClient(this);
> webViewClient.setWebView(this.appView);
> this.appView.setWebViewClient(webViewClient);
> And similar type of code needs to be written for iOS.
> InAppBrowser should pick up the SSL settings from the main web view and once
> we overwrite the onReceivedSslError() function, then it should allow such
> URLs in the InAppBrowser too.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
