Andrew Grieve created CB-5988:
---------------------------------
Summary: Allow the Android exec() to be used only by <content>'s
domain
Key: CB-5988
URL: https://issues.apache.org/jira/browse/CB-5988
Project: Apache Cordova
Issue Type: Bug
Components: Android
Reporter: Andrew Grieve
Assignee: Andrew Grieve
Discussion: http://markmail.org/thread/yohym3xqomjp4a64
Add a random number to exec() to increase its security.
Use the domain of the <content> tag as the only one the native side will
provide a token to. Both Android and iOS can know the URL of the main frame,
and choose not to provide a token if the domain doesn't match that of content
(with file:/// always being allowed).
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
