[GitHub] [cordova-plugin-whitelist] schmich commented on issue #49: allow iframe without allow-navigation="*" breaking app security & links

[GitBox <gi...@apache.org>]

schmich commented on issue #49:
URL: https://github.com/apache/cordova-plugin-whitelist/issues/49#issuecomment-745702027


   @vinidumbre Unfortunately, there hasn't been any response or movement on this issue from the Cordova team. We went with Option 3 that I described above since it had the best trade-offs for us. We are just more careful now when integrating third-party libraries.
   
   So far, this approach has worked well and we haven't had any issues. It's not a perfect solution, but you can do more research to be more confident about your changes:
   
   - Look at the documentation for the external video player and see if they mention what iframes/URLs get injected
   - Look for the library's [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) requirements. In a strict CSP setting, loading an arbitrary iframe fails, so some libraries will document what CSP settings are needed for their library to work (e.g. [frame-src settings](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src)). For example, if you use Google Tag Manager, they have a [page for their CSP requirements](https://developers.google.com/tag-manager/web/csp) which have URLs that you could include as `<allow-navigation/>` in `config.xml`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org