[GitHub] [cordova-android] breautek commented on issue #1080: Security issue with setAcceptFileSchemeCookies

[GitBox <gi...@apache.org>]

breautek commented on issue #1080:
URL: https://github.com/apache/cordova-android/issues/1080#issuecomment-1129246969

   I believe this is only used in the current version of cordova if `AndroidInsecureFileModeEnabled` is set to true, which makes cordova not to use the `WebViewAssetLoader` system and return back to the original file-based system.
   
   By default, cordova will use the `WebViewAssetLoader` and file system paths are disabled, as recommended by Google, which renders the use of this flag obsolete even if it is used unconditionally (I believe).
   
   While potentially insecure (by potentially data leaking) it is required for users using `AndroidInsecureFileModeEnabled` and depends on the use of cookies. The configuration is opt-in and I think the name speaks for itself that developers are opting into an insecure method.
   
   Eventually Cordova will completely drop support for file-based webview assets and force WebViewAssetLoader and when that does happen we'll be able to remove `setAcceptFileSchemeCookies`. I'll also re-iterate that I believe this is only an issue if you have `AndroidInsecureFileModeEnabled` enabled.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org