You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/07/04 04:07:34 UTC
[jira] [Commented] (CB-5988) Allow the Android exec() to be used
only by 's domain
[ https://issues.apache.org/jira/browse/CB-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052092#comment-14052092 ]
ASF subversion and git services commented on CB-5988:
-----------------------------------------------------
Commit aab47bd4532bfe8707d745638eb5695ac543c681 in cordova-android's branch refs/heads/master from [~agrieve]
[ https://git-wip-us.apache.org/repos/asf?p=cordova-android.git;h=aab47bd ]
CB-5988 Allow exec() only from file: or start-up URL's domain
Uses prompt() to validate the origin of the calling JS.
This change also simplifies the start-up logic by explicitly disabling
the bridge during page transitions and explictly enabling it when the
JS asks for the bridgeSecret.
We now wait to fire onNativeReady in JS until the bridge is initialized.
It is therefore safe to delete the queue-clear/new exec race condition
code that was in PluginManager.
> Allow the Android exec() to be used only by <content>'s domain
> --------------------------------------------------------------
>
> Key: CB-5988
> URL: https://issues.apache.org/jira/browse/CB-5988
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Reporter: Andrew Grieve
> Assignee: Andrew Grieve
>
> Discussion: http://markmail.org/thread/yohym3xqomjp4a64
> Add a random number to exec() to increase its security.
> Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).
--
This message was sent by Atlassian JIRA
(v6.2#6252)