[
https://issues.apache.org/jira/browse/CB-11868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15946234#comment-15946234
]
Jesse MacFadyen commented on CB-11868:
--------------------------------------
The allow intent + allow navigation tags define what can be loaded by the
applications root webview.
InAppBrowser can and SHOULD be allowed to open any site on the internet, and
able to do it safely without affecting the rest of your application. This is
the entire goal of InAppBrowser.
If you would like to limit the pages that the IAB can go to, just watch for the
loadstart event, and if you don't approve just close it.
{code}
var ref = cordova.InAppBrowser.open('http://apache.org', '_blank',
'location=yes');
ref.addEventListener('loadstart', function(event) { alert(event.url); });
{code}
> inappbrowser overrides window.open and doesn't follow allow-intent and
> allow-navigation restrictions
> ----------------------------------------------------------------------------------------------------
>
> Key: CB-11868
> URL: https://issues.apache.org/jira/browse/CB-11868
> Project: Apache Cordova
> Issue Type: Bug
> Components: Plugin InAppBrowser
> Affects Versions: 3.5.0
> Environment: android
> Reporter: Mladen Petrovic
> Priority: Critical
> Labels: security
>
> InappBrowser doesn't follow allow-intent and allow-navigation meta tags only
> in Android.
> It also overrides default window.open(uri, '_self');
> So when i allow only some urls to be allowed like this:
> <allow-navigation href="http://google.com/"; />
> <allow-intent href="http://google.com"; />
> I can successfully open yahoo.com via window.open('yahoo.com', '_self');
> But if i remove inappBrowser plugin they it follow restriction and will only
> open google.com
> This happens only in Android, not in iOS.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
