You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ag...@apache.org on 2015/03/03 02:42:42 UTC
android commit: Split out `shouldAllowBridgeAccess` from
`shouldAllowNavigation`
Repository: cordova-android
Updated Branches:
refs/heads/master 1ad280db9 -> afdac9b41
Split out `shouldAllowBridgeAccess` from `shouldAllowNavigation`
This will allow a plugin to be created that allows iframes to be
navigated to, but disallow them from accessing the bridge.
Note: This isn't a configuration that we're planning on supporting with
the default whitelist plugin, but still does make sense to enable for
the experts in the room
Project: http://git-wip-us.apache.org/repos/asf/cordova-android/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-android/commit/afdac9b4
Tree: http://git-wip-us.apache.org/repos/asf/cordova-android/tree/afdac9b4
Diff: http://git-wip-us.apache.org/repos/asf/cordova-android/diff/afdac9b4
Branch: refs/heads/master
Commit: afdac9b413dc06ef63af9fb535f92bd5e1d257e9
Parents: 1ad280d
Author: Andrew Grieve <ag...@chromium.org>
Authored: Mon Mar 2 20:40:08 2015 -0500
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Mon Mar 2 20:40:08 2015 -0500
----------------------------------------------------------------------
.../src/org/apache/cordova/CordovaBridge.java | 2 +-
.../src/org/apache/cordova/CordovaPlugin.java | 12 +++++++++++-
.../src/org/apache/cordova/PluginManager.java | 19 +++++++++++++++++++
3 files changed, 31 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-android/blob/afdac9b4/framework/src/org/apache/cordova/CordovaBridge.java
----------------------------------------------------------------------
diff --git a/framework/src/org/apache/cordova/CordovaBridge.java b/framework/src/org/apache/cordova/CordovaBridge.java
index b9c6098..7bc4a55 100644
--- a/framework/src/org/apache/cordova/CordovaBridge.java
+++ b/framework/src/org/apache/cordova/CordovaBridge.java
@@ -167,7 +167,7 @@ public class CordovaBridge {
else if (defaultValue != null && defaultValue.startsWith("gap_init:")) {
// Protect against random iframes being able to talk through the bridge.
// Trust only pages which the app would have been allowed to navigate to anyway.
- if (pluginManager.shouldAllowNavigation(origin)) {
+ if (pluginManager.shouldAllowBridgeAccess(origin)) {
// Enable the bridge
int bridgeMode = Integer.parseInt(defaultValue.substring(9));
jsMessageQueue.setBridgeMode(bridgeMode);
http://git-wip-us.apache.org/repos/asf/cordova-android/blob/afdac9b4/framework/src/org/apache/cordova/CordovaPlugin.java
----------------------------------------------------------------------
diff --git a/framework/src/org/apache/cordova/CordovaPlugin.java b/framework/src/org/apache/cordova/CordovaPlugin.java
index 71bf5cd..c223f5c 100644
--- a/framework/src/org/apache/cordova/CordovaPlugin.java
+++ b/framework/src/org/apache/cordova/CordovaPlugin.java
@@ -192,7 +192,8 @@ public class CordovaPlugin {
}
/**
- * Hook for blocking navigation by the Cordova WebView.
+ * Hook for blocking navigation by the Cordova WebView. This applies both to top-level and
+ * iframe navigations.
*
* This will be called when the WebView's needs to know whether to navigate
* to a new page. Return false to block the navigation: if any plugin
@@ -205,6 +206,15 @@ public class CordovaPlugin {
}
/**
+ * Hook for allowing page to call exec(). By default, this returns the result of
+ * shouldAllowNavigation(). It's generally unsafe to allow untrusted content to be loaded
+ * into a CordovaWebView, even within an iframe, so it's best not to touch this.
+ */
+ public Boolean shouldAllowBridgeAccess(String url) {
+ return shouldAllowNavigation(url);
+ }
+
+ /**
* Hook for blocking the launching of Intents by the Cordova application.
*
* This will be called when the WebView will not navigate to a page, but
http://git-wip-us.apache.org/repos/asf/cordova-android/blob/afdac9b4/framework/src/org/apache/cordova/PluginManager.java
----------------------------------------------------------------------
diff --git a/framework/src/org/apache/cordova/PluginManager.java b/framework/src/org/apache/cordova/PluginManager.java
index 4d7c823..f850342 100755
--- a/framework/src/org/apache/cordova/PluginManager.java
+++ b/framework/src/org/apache/cordova/PluginManager.java
@@ -365,6 +365,25 @@ public class PluginManager {
return url.startsWith("file://");
}
+
+ /**
+ * Called when the webview is requesting the exec() bridge be enabled.
+ */
+ public boolean shouldAllowBridgeAccess(String url) {
+ for (PluginEntry entry : this.entryMap.values()) {
+ CordovaPlugin plugin = pluginMap.get(entry.service);
+ if (plugin != null) {
+ Boolean result = plugin.shouldAllowBridgeAccess(url);
+ if (result != null) {
+ return result;
+ }
+ }
+ }
+
+ // Default policy:
+ return url.startsWith("file://");
+ }
+
/**
* Called when the webview is going not going to navigate, but may launch
* an Intent for an URL.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org