[jira] [Commented] (CB-11270) [QUESTION] Is whitelist intent filter working as intended?

Wed, 08 Jun 2016 18:35:03 -0700 

    [ 
https://issues.apache.org/jira/browse/CB-11270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15321752#comment-15321752
 ] 

Shazron Abdullah commented on CB-11270:
---------------------------------------

Broadly, <allow-intent> is for: "Controls which URLs the app is allowed to ask 
the system to open."

Just on that intent, and for backwards compat., I would say: Yes they should be 
allowed.

The problem I had (if I recall) with UIWebViewNavigationTypeOther (any 
javascript click) is I couldn't be sure what type of navigation it is, whether 
it was user initiated (which UIWebViewNavigationTypeLinkClicked is for sure) 
like the second interaction, or programmatically done  -- which is another 
issue, perhaps security wise (scripts (ads?) could spam the system, for example 
open N Safari windows in rapid succession)

But perhaps my concern is too narrow, and that's not the role of this tag -- 
should we allow every kind of interaction? 




> [QUESTION] Is whitelist intent filter working as intended?
> ----------------------------------------------------------
>
>                 Key: CB-11270
>                 URL: https://issues.apache.org/jira/browse/CB-11270
>             Project: Apache Cordova
>          Issue Type: Improvement
>          Components: iOS
>            Reporter: Tony Homer
>            Assignee: Shazron Abdullah
>
> In 3.8.0, given an intent directive like 
> {code}
> <allow-intent href="tel:*" />
> {code}
> , interacting with any of the following elements would result in tel: 
> requests that would all be allowed:
> {code}
> <a id="tel-button" href="tel:777777777">do tel with a.href</a>
> <a id="tel-a-onclick" onclick="document.location.href='tel:777777777';">do 
> tel with a.onclick</a>
> <button id="tel-button" onclick="document.location.href='tel:777777777';">do 
> tel with button.onclick</button>
> {code}
> However, in 4.1.1, only the first interaction will be allowed.
> This is because intent directives are only applied to the 
> UIWebViewNavigationTypeLinkClicked navigationType (the navigationType for the 
> second and third examples is UIWebViewNavigationTypeOther).
> Is this working as intended?
> It seems that either the whitelist intent filter in 4+ is not working as 
> intended or, if working as intended, the documentation should be improved to 
> spell out this case.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to