[jira] [Commented] (CB-10709) Allow-navigation rule for iFrame urls on cordova-ios

Thu, 30 Jun 2016 16:31:40 -0700 

    [ 
https://issues.apache.org/jira/browse/CB-10709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15358043#comment-15358043
 ] 

Shazron Abdullah commented on CB-10709:
---------------------------------------

The doc says <allow-navigation> "Controls which URLs the WebView itself can be 
navigated to. Applies to top-level navigations only." Reference: 
https://github.com/apache/cordova-plugin-whitelist#navigation-whitelist

This would mean that this a bug in iOS, if it follows the whitelist for 
iframes, since that is not a top-level navigation w.r.t Cordova.

Naïvely detecting the iframe would be to compare the NSURLRequest URL property 
with its mainDocumentURL property. For iframes, those two properties would 
*not* be equal. If we can detect iframes reliably, this can be fixed.

> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>
>                 Key: CB-10709
>                 URL: https://issues.apache.org/jira/browse/CB-10709
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 6.0.0
>            Reporter: Harsha Kiran
>            Assignee: Shazron Abdullah
>              Labels: cordova-ios-4.1.1, triaged
>
> Currently with Whitelist plugin set to <allow-navigation="*://domain.com/*"> 
> doesn't allow navigation to other domains including urls embedded using 
> iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule  
> <allow-navigation="*://domain.com/*">, it doesn't allow loading of the video 
> in iframe as youtube.com is not listed in allowed domains.
> If we add <allow-navigation="*://youtube.com/*"> it allows the loading of 
> iframe but will also allow navigation to youtube.com using Javascript i.e 
> window.open('http://youtube.com'). 
> With current implementation in cordova-ios, I'm not sure if there is any 
> solution to allow a domain navigation in iframe and not allow navigation to 
> that domain using other methods like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS 
> should be modified to behave the same?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to