You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2021/10/17 00:45:54 UTC

[GitHub] [cordova-plugin-whitelist] schmich commented on issue #49: allow iframe without allow-navigation="*" breaking app security & links

schmich commented on issue #49:
URL: https://github.com/apache/cordova-plugin-whitelist/issues/49#issuecomment-944630990


   **Update:** We have finally hit an issue with this approach with the Pinterest Tag.
   
   We load the Pinterest Tag in the standard way by loading `https://s.pinimg.com/ct/core.js`. This has worked fine for a while now without needing any special `<allow-navigation/>` settings in our iOS Cordova app. Unfortunately, it looks like Pinterest has changed the way their tag works. We load `https://s.pinimg.com/ct/core.js` which then loads `https://s.pinimg.com/ct/lib/main.e7fd5392.js` (or similar) which uses something called `epik_localstore` which loads `https://www.pinterest.com/ct.html` in an iframe on the page, which I don't believe it was doing before.
   
   Now, when a user opens our app, they get immediately booted out into Safari with a blank Pinterest page pointed at https://www.pinterest.com/ct.html. Obviously a terrible experience.
   
   I did call this out as caveat in Option 3 above:
   
   > If they change the iframe URL or if any of our other imported dependencies (FB/IG/Snapchat/Pinterest ads, other libraries) adds an iframe element of their own, we regress back to our original problem of the iframe URL abruptly loading in a new browser session outside of the app
   
   The fact that this changed from underneath us by a third party leaves us with a bad taste. For now, we are just excluding a lot of tags from our app entirely, but I really wish this use case would be addressed by the Cordova team as I outlined above.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org