[jira] [Commented] (CB-5988) Allow the Android exec() to be used only by 's domain

ASF subversion and git services (JIRA) Thu, 03 Jul 2014 19:09:48 -0700

    [ 
https://issues.apache.org/jira/browse/CB-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052093#comment-14052093
 ]


ASF subversion and git services commented on CB-5988:
-----------------------------------------------------

Commit 558e8d55db0699da095f1973de71dcf97a6184d9 in cordova-js's branch 
refs/heads/master from [~agrieve]
[ https://git-wip-us.apache.org/repos/asf?p=cordova-js.git;h=558e8d5 ]

CB-5988 android: Allow exec() only from file: or start-up URL's domain

Native side of change:
http://git-wip-us.apache.org/repos/asf/cordova-android/commit/aab47bd4


> Allow the Android exec() to be used only by <content>'s domain
> --------------------------------------------------------------
>
>                 Key: CB-5988
>                 URL: https://issues.apache.org/jira/browse/CB-5988
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Andrew Grieve
>            Assignee: Andrew Grieve
>
> Discussion: http://markmail.org/thread/yohym3xqomjp4a64
> Add a random number to exec() to increase its security.
> Use the domain of the <content> tag as the only one the native side will 
> provide a token to. Both Android and iOS can know the URL of the main frame, 
> and choose not to provide a token if the domain doesn't match that of content 
> (with file:/// always being allowed).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (CB-5988) Allow the Android exec() to be used only by 's domain

Reply via email to