URIs

Ian Clelland (JIRA) Tue, 04 Nov 2014 10:33:00 -0800

     [ 
https://issues.apache.org/jira/browse/CB-7758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ian Clelland reopened CB-7758:
------------------------------
      Assignee: Ian Clelland

Thinking some more about this, I think that we may have to change the way we're 
doing it. This solution opens up a potential security hole, where an app could 
be targeted specifically by malware which creates a content provider with the 
same root package name as the app, and is therefore granted access to the 
bridge.

On the 4.x branch, I've merged the bridge access logic with the navigation 
logic (if you can navigate the webview to a page, then the page should have 
access to the bridge). I think we should do something similar here, and check 
the config whitelist before granting access.

It would mean that you have to grant access to the content urls in config.xml:

{code}
<access src="content://com.ionicframework.ionicapp.jsHybugger/*" />
<access src="content://com.ionicframework.ionicapp.myProvider/*" />
{code}

but you probably need that anyway to support using those pages within an app.

Would that work for you?

> Support for content:// URIs
> ---------------------------
>
>                 Key: CB-7758
>                 URL: https://issues.apache.org/jira/browse/CB-7758
>             Project: Apache Cordova
>          Issue Type: New Feature
>          Components: Android
>    Affects Versions: 3.6.0
>         Environment: Android 4.3
>            Reporter: Wolfgang Flohr-Hochbichler
>            Assignee: Ian Clelland
>            Priority: Minor
>
> Device ready event is not fired if page is loaded via content:// protocol. 
> I assume it has something to do with a security check done within 
> CordovaBridge.java which triggers the following gap_init error message.
> 10-09 10:10:18.071 16719 16719 E CordovaBridge: gap_init called from 
> restricted origin: 
> content://com.ionicframework.ionicapp795549.jsHybugger/file:///android_asset/www/index.html#/tab/dash
> 10-09 10:10:23.075 16719 16719 D CordovaLog: 
> content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js: Line 
> 112 : deviceready has not fired after 5 seconds.
> 10-09 10:10:23.075 16719 16719 I Web Console: deviceready has not fired after 
> 5 seconds. at 
> content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js:112



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Reopened] (CB-7758) Support for content:// URIs

Reply via email to