You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by de...@orange.com on 2013/01/07 10:17:33 UTC
Iframe security
Hi all,
I would like to know your opinion about iframe support in Cordova
especially on Android. I think the support of iframe can cause security
issues for two reasons:
- White list mechanism settled by Cordova becomes ineffective
because navigation is made into iframe so the webview does not control
the current url loaded inside the iframe
- Native APIs are not only exposed to the page loaded in the
webview, even the iframes can access to native APIs which breaks the
same origin policy implemented in browsers
That basically means some attackers can interact with native code in a
unintented ways. This problem is not specific to Cordova, it is a
general problem of addJavascriptInterface method of webview.
It is even explained in the webview's javadoc
http://developer.android.com/reference/android/webkit/WebView.html#addJa
vascriptInterface%28java.lang.Object,%20java.lang.String%29.
The usage of iframe just makes it more obvious.
So, I want to know your opinion about all of this:
- Have you tried to figure out a way to improve security about
this (maybe by sharing a secret between the webview and native code to
prevent unknown source to access native code)?
- Do you think this point should be outlined in Cordova
documentation?
Thx
Denis
Re: Iframe security
Posted by Michael Brooks <mi...@michaelbrooks.ca>.
Good call Brian.
The PhoneGap wiki is meant to act as a staging ground for documentation
that could eventually make it's way into our officially supported Apache
Cordova documentation.
Michael
On Wed, Jan 9, 2013 at 1:55 PM, Brian LeRoux <b...@brian.io> wrote:
> Some of this could be re-purposed there:
> https://github.com/phonegap/phonegap/wiki/Platform-Security
>
> On Wed, Jan 9, 2013 at 1:41 PM, Michael Brooks <mi...@michaelbrooks.ca>
> wrote:
> > Let's just create a parent section called "Security", with sub-articles
> of
> > "Domain Whitelist" and "iFrame Security" (or whatever we call the
> untrusted
> > content article).
> >
> > On Wed, Jan 9, 2013 at 6:01 AM, Andrew Grieve <ag...@chromium.org>
> wrote:
> >
> >> https://issues.apache.org/jira/browse/CB-2179
> >>
> >> On Tue, Jan 8, 2013 at 2:56 PM, Andrew Grieve <ag...@chromium.org>
> >> wrote:
> >>
> >> > Looking at docs.cordova.io, I'm thinking it might make sense to
> change
> >> > "Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add
> a
> >> > section to it about the dangers of embedding untrusted content. SG?
> I'll
> >> > create a JIRA issue for it.
> >> >
> >>
>
Re: Iframe security
Posted by Brian LeRoux <b...@brian.io>.
Some of this could be re-purposed there:
https://github.com/phonegap/phonegap/wiki/Platform-Security
On Wed, Jan 9, 2013 at 1:41 PM, Michael Brooks <mi...@michaelbrooks.ca> wrote:
> Let's just create a parent section called "Security", with sub-articles of
> "Domain Whitelist" and "iFrame Security" (or whatever we call the untrusted
> content article).
>
> On Wed, Jan 9, 2013 at 6:01 AM, Andrew Grieve <ag...@chromium.org> wrote:
>
>> https://issues.apache.org/jira/browse/CB-2179
>>
>> On Tue, Jan 8, 2013 at 2:56 PM, Andrew Grieve <ag...@chromium.org>
>> wrote:
>>
>> > Looking at docs.cordova.io, I'm thinking it might make sense to change
>> > "Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a
>> > section to it about the dangers of embedding untrusted content. SG? I'll
>> > create a JIRA issue for it.
>> >
>>
Re: Iframe security
Posted by Michael Brooks <mi...@michaelbrooks.ca>.
Let's just create a parent section called "Security", with sub-articles of
"Domain Whitelist" and "iFrame Security" (or whatever we call the untrusted
content article).
On Wed, Jan 9, 2013 at 6:01 AM, Andrew Grieve <ag...@chromium.org> wrote:
> https://issues.apache.org/jira/browse/CB-2179
>
> On Tue, Jan 8, 2013 at 2:56 PM, Andrew Grieve <ag...@chromium.org>
> wrote:
>
> > Looking at docs.cordova.io, I'm thinking it might make sense to change
> > "Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a
> > section to it about the dangers of embedding untrusted content. SG? I'll
> > create a JIRA issue for it.
> >
>
Re: Iframe security
Posted by Andrew Grieve <ag...@chromium.org>.
https://issues.apache.org/jira/browse/CB-2179
On Tue, Jan 8, 2013 at 2:56 PM, Andrew Grieve <ag...@chromium.org> wrote:
> Looking at docs.cordova.io, I'm thinking it might make sense to change
> "Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a
> section to it about the dangers of embedding untrusted content. SG? I'll
> create a JIRA issue for it.
>
Re: Iframe security
Posted by Andrew Grieve <ag...@chromium.org>.
Looking at docs.cordova.io, I'm thinking it might make sense to change
"Domain Whitelist Guide" -> "Security & Whitelist Guide" and then add a
section to it about the dangers of embedding untrusted content. SG? I'll
create a JIRA issue for it.
On Tue, Jan 8, 2013 at 11:49 AM, Joe Bowser <bo...@gmail.com> wrote:
> Agreed! We should just discourage web developers from using iFrames
> whenever we can. They don't even work properly on ICS.
>
> On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <b...@brian.io> wrote:
> > Docs would be the only way we can completely mitigate this. It should
> > be understood that 3rd party scripts are a bad idea by web developers.
> >
> > On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <ag...@chromium.org>
> wrote:
> >> Hi Denis,
> >>
> >> I think you bring up a good point. It's probably not a good idea to put
> >> untrusted content into an iframe within a Cordova app, for the reason
> you
> >> explained.
> >>
> >> Definitely a good first step would be to document this fact. If we can
> come
> >> up with a fix, that would be even better :)
> >>
> >>
> >> On Mon, Jan 7, 2013 at 4:17 AM, <de...@orange.com> wrote:
> >>
> >>> Hi all,
> >>>
> >>>
> >>>
> >>> I would like to know your opinion about iframe support in Cordova
> >>> especially on Android. I think the support of iframe can cause security
> >>> issues for two reasons:
> >>>
> >>> - White list mechanism settled by Cordova becomes ineffective
> >>> because navigation is made into iframe so the webview does not control
> >>> the current url loaded inside the iframe
> >>>
> >>> - Native APIs are not only exposed to the page loaded in the
> >>> webview, even the iframes can access to native APIs which breaks the
> >>> same origin policy implemented in browsers
> >>>
> >>>
> >>>
> >>> That basically means some attackers can interact with native code in a
> >>> unintented ways. This problem is not specific to Cordova, it is a
> >>> general problem of addJavascriptInterface method of webview.
> >>>
> >>> It is even explained in the webview's javadoc
> >>>
> http://developer.android.com/reference/android/webkit/WebView.html#addJa
> >>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
> >>>
> >>> The usage of iframe just makes it more obvious.
> >>>
> >>>
> >>>
> >>> So, I want to know your opinion about all of this:
> >>>
> >>> - Have you tried to figure out a way to improve security about
> >>> this (maybe by sharing a secret between the webview and native code to
> >>> prevent unknown source to access native code)?
> >>>
> >>> - Do you think this point should be outlined in Cordova
> >>> documentation?
> >>>
> >>>
> >>>
> >>> Thx
> >>>
> >>>
> >>>
> >>> Denis
> >>>
> >>>
> >>>
> >>>
>
Re: Iframe security
Posted by Joe Bowser <bo...@gmail.com>.
Agreed! We should just discourage web developers from using iFrames
whenever we can. They don't even work properly on ICS.
On Tue, Jan 8, 2013 at 8:42 AM, Brian LeRoux <b...@brian.io> wrote:
> Docs would be the only way we can completely mitigate this. It should
> be understood that 3rd party scripts are a bad idea by web developers.
>
> On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <ag...@chromium.org> wrote:
>> Hi Denis,
>>
>> I think you bring up a good point. It's probably not a good idea to put
>> untrusted content into an iframe within a Cordova app, for the reason you
>> explained.
>>
>> Definitely a good first step would be to document this fact. If we can come
>> up with a fix, that would be even better :)
>>
>>
>> On Mon, Jan 7, 2013 at 4:17 AM, <de...@orange.com> wrote:
>>
>>> Hi all,
>>>
>>>
>>>
>>> I would like to know your opinion about iframe support in Cordova
>>> especially on Android. I think the support of iframe can cause security
>>> issues for two reasons:
>>>
>>> - White list mechanism settled by Cordova becomes ineffective
>>> because navigation is made into iframe so the webview does not control
>>> the current url loaded inside the iframe
>>>
>>> - Native APIs are not only exposed to the page loaded in the
>>> webview, even the iframes can access to native APIs which breaks the
>>> same origin policy implemented in browsers
>>>
>>>
>>>
>>> That basically means some attackers can interact with native code in a
>>> unintented ways. This problem is not specific to Cordova, it is a
>>> general problem of addJavascriptInterface method of webview.
>>>
>>> It is even explained in the webview's javadoc
>>> http://developer.android.com/reference/android/webkit/WebView.html#addJa
>>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>>>
>>> The usage of iframe just makes it more obvious.
>>>
>>>
>>>
>>> So, I want to know your opinion about all of this:
>>>
>>> - Have you tried to figure out a way to improve security about
>>> this (maybe by sharing a secret between the webview and native code to
>>> prevent unknown source to access native code)?
>>>
>>> - Do you think this point should be outlined in Cordova
>>> documentation?
>>>
>>>
>>>
>>> Thx
>>>
>>>
>>>
>>> Denis
>>>
>>>
>>>
>>>
Re: Iframe security
Posted by Brian LeRoux <b...@brian.io>.
Docs would be the only way we can completely mitigate this. It should
be understood that 3rd party scripts are a bad idea by web developers.
On Tue, Jan 8, 2013 at 8:20 AM, Andrew Grieve <ag...@chromium.org> wrote:
> Hi Denis,
>
> I think you bring up a good point. It's probably not a good idea to put
> untrusted content into an iframe within a Cordova app, for the reason you
> explained.
>
> Definitely a good first step would be to document this fact. If we can come
> up with a fix, that would be even better :)
>
>
> On Mon, Jan 7, 2013 at 4:17 AM, <de...@orange.com> wrote:
>
>> Hi all,
>>
>>
>>
>> I would like to know your opinion about iframe support in Cordova
>> especially on Android. I think the support of iframe can cause security
>> issues for two reasons:
>>
>> - White list mechanism settled by Cordova becomes ineffective
>> because navigation is made into iframe so the webview does not control
>> the current url loaded inside the iframe
>>
>> - Native APIs are not only exposed to the page loaded in the
>> webview, even the iframes can access to native APIs which breaks the
>> same origin policy implemented in browsers
>>
>>
>>
>> That basically means some attackers can interact with native code in a
>> unintented ways. This problem is not specific to Cordova, it is a
>> general problem of addJavascriptInterface method of webview.
>>
>> It is even explained in the webview's javadoc
>> http://developer.android.com/reference/android/webkit/WebView.html#addJa
>> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>>
>> The usage of iframe just makes it more obvious.
>>
>>
>>
>> So, I want to know your opinion about all of this:
>>
>> - Have you tried to figure out a way to improve security about
>> this (maybe by sharing a secret between the webview and native code to
>> prevent unknown source to access native code)?
>>
>> - Do you think this point should be outlined in Cordova
>> documentation?
>>
>>
>>
>> Thx
>>
>>
>>
>> Denis
>>
>>
>>
>>
Re: Iframe security
Posted by Andrew Grieve <ag...@chromium.org>.
Hi Denis,
I think you bring up a good point. It's probably not a good idea to put
untrusted content into an iframe within a Cordova app, for the reason you
explained.
Definitely a good first step would be to document this fact. If we can come
up with a fix, that would be even better :)
On Mon, Jan 7, 2013 at 4:17 AM, <de...@orange.com> wrote:
> Hi all,
>
>
>
> I would like to know your opinion about iframe support in Cordova
> especially on Android. I think the support of iframe can cause security
> issues for two reasons:
>
> - White list mechanism settled by Cordova becomes ineffective
> because navigation is made into iframe so the webview does not control
> the current url loaded inside the iframe
>
> - Native APIs are not only exposed to the page loaded in the
> webview, even the iframes can access to native APIs which breaks the
> same origin policy implemented in browsers
>
>
>
> That basically means some attackers can interact with native code in a
> unintented ways. This problem is not specific to Cordova, it is a
> general problem of addJavascriptInterface method of webview.
>
> It is even explained in the webview's javadoc
> http://developer.android.com/reference/android/webkit/WebView.html#addJa
> vascriptInterface%28java.lang.Object,%20java.lang.String%29.
>
> The usage of iframe just makes it more obvious.
>
>
>
> So, I want to know your opinion about all of this:
>
> - Have you tried to figure out a way to improve security about
> this (maybe by sharing a secret between the webview and native code to
> prevent unknown source to access native code)?
>
> - Do you think this point should be outlined in Cordova
> documentation?
>
>
>
> Thx
>
>
>
> Denis
>
>
>
>