You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Marcel Kinard (JIRA)" <ji...@apache.org> on 2014/01/09 23:15:50 UTC
[jira] [Commented] (CB-3576) Add support for self-signed SSL
certficates in InAppBrowser
[ https://issues.apache.org/jira/browse/CB-3576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13867160#comment-13867160 ]
Marcel Kinard commented on CB-3576:
-----------------------------------
I had a reason to review this today for someone else that was asking for it in CordovaWebView who was using Cordova 2.6. On Android, using debuggable="true" in AndroidManifest.xml will silently enable self-signed certs in the CordovaWebView. This allows devs to use self-signed certs before production. (Not sure if the other platforms have something similar.) If this request is to get InAppBrowser to have the same behavior, then that sounds reasonable. I don't see an implementation of onReceivedSslError() in Android's InAppBrowser.
However if the request is to have a config that causes the webviews to silently accept all self-signed certs in production, I don't think that is reasonable. Otherwise we would be giving you ammunition to shoot yourself in the foot, and parts that are further up.
I understand this comes up frequently in enterprises. I live everyday in a large enterprise with a huge intranet. IMHO, if the network is trusted then just use http. If the network isn't trusted, then using a self-signed cert opens you up to man-in-the-middle attacks, in which case the communication isn't secure - it's a misleading use of SSL. If you are serious about security, spending around US$500 on a CA-signed cert is part of the cost of going into production.
Andrew's suggestion above about using an interstitial for user confirmation (non-silent) of self-signed certs to get PC-browser-like behavior may be reasonable. Anything more silent than that I don't think is reasonable. So I will change the title of this Jira item to "interstitial". Otherwise I'd be tempted to close this as "won't implement". I will also open a new related Jira item to add the same non-production behavior to InAppBrowser as exists in CordovaWebView.
> Add support for self-signed SSL certficates in InAppBrowser
> -----------------------------------------------------------
>
> Key: CB-3576
> URL: https://issues.apache.org/jira/browse/CB-3576
> Project: Apache Cordova
> Issue Type: Improvement
> Components: Android, iOS, Plugin InAppBrowser
> Affects Versions: 2.7.0, 2.8.0
> Environment: Android and iOS
> Reporter: Montyleena
> Priority: Minor
> Labels: android, https, inappbrowser,, ios, ssl
> Attachments: InAppBrowser.java
>
>
> Local https links are blocked by default in InAppBrowser (links using a local SSL certificate which can't be verified by a 3rd party). Ideally, user should be given an option to proceed or cancel the request like the default desktop/mobile browsers do.
> Right now, we have to overwrite the following API in Android to access such URLs but onReceivedSslError() function gets called only for the main PhoneGap window browser and not for InAppBrowser.
> Create a new class:
> public class CustomWebViewClient extends CordovaWebViewClient {
>
> public static final String LOG_TAG = "Plugin";
>
> public CustomWebViewClient(DroidGap ctx) {
> super(ctx);
> Log.d(LOG_TAG, "Constructor!");
> }
> @Override
> public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
> handler.proceed();
> }
> }
> In the main class, we use our custom class as a web view client
> CordovaWebViewClient webViewClient = new CustomWebViewClient(this);
> webViewClient.setWebView(this.appView);
> this.appView.setWebViewClient(webViewClient);
> And similar type of code needs to be written for iOS.
> InAppBrowser should pick up the SSL settings from the main web view and once we overwrite the onReceivedSslError() function, then it should allow such URLs in the InAppBrowser too.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)