You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Jakob Hormann (JIRA)" <ji...@apache.org> on 2016/10/31 13:59:58 UTC

[jira] [Commented] (CB-10709) Allow-navigation rule for iFrame urls on cordova-ios

    [ https://issues.apache.org/jira/browse/CB-10709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15622223#comment-15622223 ] 

Jakob Hormann commented on CB-10709:
------------------------------------

Hello everyone. I wanted to ask how much of chance there is to get this issue fixed some time soon.
It would really help a lot to make iOS apps more secure while allowing all sorts of embedded iframes from Twitter, Instagram etc.

Android works perfectly well setting
{code:xml}<allow-navigation href="file://*"/>{code}
along with
{code:xml}<allow-intent href="*"/>{code}

In iOS it prevents iframes with http(s) sources etc. See original post.

Thanks!

> Allow-navigation rule for iFrame urls on cordova-ios
> ----------------------------------------------------
>
>                 Key: CB-10709
>                 URL: https://issues.apache.org/jira/browse/CB-10709
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 6.0.0
>            Reporter: Harsha Kiran
>            Assignee: Shazron Abdullah
>              Labels: cordova-ios-4.1.1, triaged
>
> Currently with Whitelist plugin set to <allow-navigation="*://domain.com/*"> doesn't allow navigation to other domains including urls embedded using iframe on iOS.
> EG: If I tried to embed a youtube video using iframe tag with only this rule  <allow-navigation="*://domain.com/*">, it doesn't allow loading of the video in iframe as youtube.com is not listed in allowed domains.
> If we add <allow-navigation="*://youtube.com/*"> it allows the loading of iframe but will also allow navigation to youtube.com using Javascript i.e window.open('http://youtube.com'). 
> With current implementation in cordova-ios, I'm not sure if there is any solution to allow a domain navigation in iframe and not allow navigation to that domain using other methods like javascript.
> Android ignores the allow-navigation rule for iframe loaded urls, so iOS should be modified to behave the same?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org