[
https://issues.apache.org/jira/browse/CB-10709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15356846#comment-15356846
]
Sebastien Lorber edited comment on CB-10709 at 6/30/16 10:01 AM:
-----------------------------------------------------------------
We also have this issue since 4.x platform upgrade
[~harshabonthu] just to understand, on iOS you want to embed youtube video
iframes, but prevent links to navigate to youtube page right?
If my app is a single page app and I have a strict control over the links that
are displayed (most of them are for app routing, or using target="_system" with
InAppBrowser), does it make sense to use {code}<allow-navigation href="*"
/>{code} as a workaround for this issue? or can it lead to any other security
issue?
was (Author: sebastienlorber):
We also have this issue since 4.x platform upgrade
[~harshabonthu] just to understand, on iOS you want to embed youtube video
iframes, but prevent links to navigate to youtube page right?
If my app is a single page app and I have a strict control over the links that
are displayed (most of them are for app routing, or using target="_system" with
InAppBrowser), does it make sense to use {code}<allow-navigation href="*"
/>{code} as a workaround for this issue?
> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>
> Key: CB-10709
> URL: https://issues.apache.org/jira/browse/CB-10709
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS, Plugin Whitelist
> Affects Versions: 6.0.0
> Reporter: Harsha Kiran
> Labels: cordova-ios-4.1.1, triaged
>
> Currently with Whitelist plugin set to <allow-navigation="*://domain.com/*">
> doesn't allow navigation to other domains including urls embedded using
> iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule
> <allow-navigation="*://domain.com/*">, it doesn't allow loading of the video
> in iframe as youtube.com is not listed in allowed domains.
> If we add <allow-navigation="*://youtube.com/*"> it allows the loading of
> iframe but will also allow navigation to youtube.com using Javascript i.e
> window.open('http://youtube.com').
> With current implementation in cordova-ios, I'm not sure if there is any
> solution to allow a domain navigation in iframe and not allow navigation to
> that domain using other methods like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS
> should be modified to behave the same?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
