[
https://issues.apache.org/jira/browse/CB-10709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15359537#comment-15359537
]
Shazron Abdullah commented on CB-10709:
---------------------------------------
Sorry I have to walk back what I said, after conferring with a colleague. My
focus was also on making this "backwards compatible" with the previous version,
but the previous version had it wrong.
iframes *should* be governed by the whitelist. Any page loaded by the iframe,
if they include cordova.js, can access your plugins, which opens up a huge
hole. Therefore, in this case iOS is doing the correct thing while Android is
not.
So now what we really need is <allow-navigation> for iframes only. I'm not sure
if its possible on Android but on cordova-ios, it is possible if we add another
attribute for example, cleverly called "iframe", and the allow-navigation
directive would only apply to iframes. This is of course still dependent on
cordova-ios being able to detect iframes reliably.
{code}
<allow-navigation href="http://youtube.com"; iframe="true" />
{code}
> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>
> Key: CB-10709
> URL: https://issues.apache.org/jira/browse/CB-10709
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS
> Affects Versions: 6.0.0
> Reporter: Harsha Kiran
> Assignee: Shazron Abdullah
> Labels: cordova-ios-4.1.1, triaged
>
> Currently with Whitelist plugin set to <allow-navigation="*://domain.com/*">
> doesn't allow navigation to other domains including urls embedded using
> iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule
> <allow-navigation="*://domain.com/*">, it doesn't allow loading of the video
> in iframe as youtube.com is not listed in allowed domains.
> If we add <allow-navigation="*://youtube.com/*"> it allows the loading of
> iframe but will also allow navigation to youtube.com using Javascript i.e
> window.open('http://youtube.com').
> With current implementation in cordova-ios, I'm not sure if there is any
> solution to allow a domain navigation in iframe and not allow navigation to
> that domain using other methods like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS
> should be modified to behave the same?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
