Android InAppBrowser with local file blocks XHR on Android 4.1

["Sethi, Raman" <ra...@sap.com>]

Hi All,

We ran into this issue with the InAppBrowser with local URLs, happens on
JellyBean only.


https://issues.apache.org/jira/browse/CB-4083


The fix is suggested in the comments if @Shazron or others can take a
look.  


So far we have been patching it on our side and would like customers to
use the default Cordova plugin.

Thanks

Raman

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[Andrew Grieve <ag...@chromium.org>]

Thinking about x-platform, iOS always allows this (it has now toggle for
it). So maybe that should at least be the default? Is it actually unsafe in
any way to just turn this on always?


On Thu, Aug 29, 2013 at 11:38 AM, Ian Clelland <ic...@chromium.org>wrote:

> On Thu, Aug 29, 2013 at 10:31 AM, David Kemp <dr...@google.com> wrote:
>
> > Since I can open a file:// resource that contains http:// pages, the
> > restriction should not be based on what the IAB was opened with, but what
> > it is currently open with.
> >
> > example:
> > open file://index.html (contains a link to http://badplace.org)
> > click the link (now at http://badplace.org)
> > reference some arbitrary file:// resource
> >
>
> That should still fail; I belive that the Android WebView setting only
> comes into effect when the source of the request is a file:/// URL.
>
> Automatically setting it based on the original URL is an interesting idea.
> I think, though, that there are probably use cases for opening an IAB on a
> file:/// URL where you *shouldn't* by default allow access to everything.
> Maybe the application is caching resources for offline use, which aren't
> necessarily trusted.
>
> I'm in favour of adding an option to window.open.
> "allowuniversalaccessfromfile=yes"
> is a bit wordy, though, and looks *very* android-specific.
>
> Ian
>
>
> >
> >
> > On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <agrieve@chromium.org
> > >wrote:
> >
> > > How about enabling the setting when the IAB is opened with a file:///
> > URL?
> > > I think the security concern would come when it's opened with a
> malicious
> > > http:/// URL that then navigated to a file:/// URL.
> > >
> > >
> > > On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <
> > marcus.pridham@sap.com
> > > >wrote:
> > >
> > > > Fair enough.  How about adding the following option on Android?
> > > >
> > > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript
> running
> > > in
> > > > the context of a file scheme to be allowed to access content from any
> > > > origin.
> > > >
> > > > Eg.
> > > > window.open('iab.html', '_blank',
> > > > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
> > > >
> > > >
> > > >
> > > > On 8/27/13 10:57 AM, "Ian Clelland" <ic...@chromium.org> wrote:
> > > >
> > > > >This looks like a direct port of cordova-android commit #07439ff9 to
> > > > >InAppBrowser.
> > > > >
> > > > >The actual setting controls whether file:///* urls are allowed to
> > > execute
> > > > >JavaScript from any context; it is usually false for browsers (at
> > least
> > > > >Chrome) for security reasons. We turn it on for the main Cordova
> > > WebView,
> > > > >since (presumably) the developer has full control over what URLs can
> > be
> > > > >loaded into that space. InAppBrowser is meant to be more like a
> > regular
> > > > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open
> > that
> > > > >up.
> > > > >
> > > > >There is probably a good case to be made for allowing this --
> > certainly
> > > > >not
> > > > >as the default setting, but as an option that the app can set in
> > > specific
> > > > >cases when it knows that the IAB is only going to be used for local
> > > > >content, and won't be executing arbitrary scripts.
> > > > >
> > > > >Ian
> > > > >
> > > > >
> > > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com>
> wrote:
> > > > >
> > > > >> I'll let the Android devs comment on this more - seems like an
> easy
> > > > >>patch
> > > > >> but the question is more of a policy thing, whether we want it in
> > > there
> > > > >>at
> > > > >> all. If anything, it would be an InAppBrowser option.
> > > > >>
> > > > >>
> > > > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com>
> > > wrote:
> > > > >>
> > > > >> > Hi All,
> > > > >> >
> > > > >> > We ran into this issue with the InAppBrowser with local URLs,
> > > happens
> > > > >>on
> > > > >> > JellyBean only.
> > > > >> >
> > > > >> >
> > > > >> > https://issues.apache.org/jira/browse/CB-4083
> > > > >> >
> > > > >> >
> > > > >> > The fix is suggested in the comments if @Shazron or others can
> > take
> > > a
> > > > >> > look.
> > > > >> >
> > > > >> >
> > > > >> > So far we have been patching it on our side and would like
> > customers
> > > > >>to
> > > > >> > use the default Cordova plugin.
> > > > >> >
> > > > >> > Thanks
> > > > >> >
> > > > >> > Raman
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > > >
> > >
> >
>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[Ian Clelland <ic...@chromium.org>]

On Thu, Aug 29, 2013 at 10:31 AM, David Kemp <dr...@google.com> wrote:

> Since I can open a file:// resource that contains http:// pages, the
> restriction should not be based on what the IAB was opened with, but what
> it is currently open with.
>
> example:
> open file://index.html (contains a link to http://badplace.org)
> click the link (now at http://badplace.org)
> reference some arbitrary file:// resource
>

That should still fail; I belive that the Android WebView setting only
comes into effect when the source of the request is a file:/// URL.

Automatically setting it based on the original URL is an interesting idea.
I think, though, that there are probably use cases for opening an IAB on a
file:/// URL where you *shouldn't* by default allow access to everything.
Maybe the application is caching resources for offline use, which aren't
necessarily trusted.

I'm in favour of adding an option to window.open.
"allowuniversalaccessfromfile=yes"
is a bit wordy, though, and looks *very* android-specific.

Ian


>
>
> On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <agrieve@chromium.org
> >wrote:
>
> > How about enabling the setting when the IAB is opened with a file:///
> URL?
> > I think the security concern would come when it's opened with a malicious
> > http:/// URL that then navigated to a file:/// URL.
> >
> >
> > On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <
> marcus.pridham@sap.com
> > >wrote:
> >
> > > Fair enough.  How about adding the following option on Android?
> > >
> > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running
> > in
> > > the context of a file scheme to be allowed to access content from any
> > > origin.
> > >
> > > Eg.
> > > window.open('iab.html', '_blank',
> > > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
> > >
> > >
> > >
> > > On 8/27/13 10:57 AM, "Ian Clelland" <ic...@chromium.org> wrote:
> > >
> > > >This looks like a direct port of cordova-android commit #07439ff9 to
> > > >InAppBrowser.
> > > >
> > > >The actual setting controls whether file:///* urls are allowed to
> > execute
> > > >JavaScript from any context; it is usually false for browsers (at
> least
> > > >Chrome) for security reasons. We turn it on for the main Cordova
> > WebView,
> > > >since (presumably) the developer has full control over what URLs can
> be
> > > >loaded into that space. InAppBrowser is meant to be more like a
> regular
> > > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open
> that
> > > >up.
> > > >
> > > >There is probably a good case to be made for allowing this --
> certainly
> > > >not
> > > >as the default setting, but as an option that the app can set in
> > specific
> > > >cases when it knows that the IAB is only going to be used for local
> > > >content, and won't be executing arbitrary scripts.
> > > >
> > > >Ian
> > > >
> > > >
> > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com> wrote:
> > > >
> > > >> I'll let the Android devs comment on this more - seems like an easy
> > > >>patch
> > > >> but the question is more of a policy thing, whether we want it in
> > there
> > > >>at
> > > >> all. If anything, it would be an InAppBrowser option.
> > > >>
> > > >>
> > > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com>
> > wrote:
> > > >>
> > > >> > Hi All,
> > > >> >
> > > >> > We ran into this issue with the InAppBrowser with local URLs,
> > happens
> > > >>on
> > > >> > JellyBean only.
> > > >> >
> > > >> >
> > > >> > https://issues.apache.org/jira/browse/CB-4083
> > > >> >
> > > >> >
> > > >> > The fix is suggested in the comments if @Shazron or others can
> take
> > a
> > > >> > look.
> > > >> >
> > > >> >
> > > >> > So far we have been patching it on our side and would like
> customers
> > > >>to
> > > >> > use the default Cordova plugin.
> > > >> >
> > > >> > Thanks
> > > >> >
> > > >> > Raman
> > > >> >
> > > >> >
> > > >>
> > >
> > >
> >
>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[David Kemp <dr...@google.com>]

Since I can open a file:// resource that contains http:// pages, the
restriction should not be based on what the IAB was opened with, but what
it is currently open with.

example:
open file://index.html (contains a link to http://badplace.org)
click the link (now at http://badplace.org)
reference some arbitrary file:// resource



On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <ag...@chromium.org>wrote:

> How about enabling the setting when the IAB is opened with a file:/// URL?
> I think the security concern would come when it's opened with a malicious
> http:/// URL that then navigated to a file:/// URL.
>
>
> On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <marcus.pridham@sap.com
> >wrote:
>
> > Fair enough.  How about adding the following option on Android?
> >
> > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running
> in
> > the context of a file scheme to be allowed to access content from any
> > origin.
> >
> > Eg.
> > window.open('iab.html', '_blank',
> > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
> >
> >
> >
> > On 8/27/13 10:57 AM, "Ian Clelland" <ic...@chromium.org> wrote:
> >
> > >This looks like a direct port of cordova-android commit #07439ff9 to
> > >InAppBrowser.
> > >
> > >The actual setting controls whether file:///* urls are allowed to
> execute
> > >JavaScript from any context; it is usually false for browsers (at least
> > >Chrome) for security reasons. We turn it on for the main Cordova
> WebView,
> > >since (presumably) the developer has full control over what URLs can be
> > >loaded into that space. InAppBrowser is meant to be more like a regular
> > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that
> > >up.
> > >
> > >There is probably a good case to be made for allowing this -- certainly
> > >not
> > >as the default setting, but as an option that the app can set in
> specific
> > >cases when it knows that the IAB is only going to be used for local
> > >content, and won't be executing arbitrary scripts.
> > >
> > >Ian
> > >
> > >
> > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com> wrote:
> > >
> > >> I'll let the Android devs comment on this more - seems like an easy
> > >>patch
> > >> but the question is more of a policy thing, whether we want it in
> there
> > >>at
> > >> all. If anything, it would be an InAppBrowser option.
> > >>
> > >>
> > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com>
> wrote:
> > >>
> > >> > Hi All,
> > >> >
> > >> > We ran into this issue with the InAppBrowser with local URLs,
> happens
> > >>on
> > >> > JellyBean only.
> > >> >
> > >> >
> > >> > https://issues.apache.org/jira/browse/CB-4083
> > >> >
> > >> >
> > >> > The fix is suggested in the comments if @Shazron or others can take
> a
> > >> > look.
> > >> >
> > >> >
> > >> > So far we have been patching it on our side and would like customers
> > >>to
> > >> > use the default Cordova plugin.
> > >> >
> > >> > Thanks
> > >> >
> > >> > Raman
> > >> >
> > >> >
> > >>
> >
> >
>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[Andrew Grieve <ag...@chromium.org>]

How about enabling the setting when the IAB is opened with a file:/// URL?
I think the security concern would come when it's opened with a malicious
http:/// URL that then navigated to a file:/// URL.


On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <ma...@sap.com>wrote:

> Fair enough.  How about adding the following option on Android?
>
> allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running in
> the context of a file scheme to be allowed to access content from any
> origin.
>
> Eg.
> window.open('iab.html', '_blank',
> 'location=no,toolbar=no,allowuniversalaccessfromfile =yes');
>
>
>
> On 8/27/13 10:57 AM, "Ian Clelland" <ic...@chromium.org> wrote:
>
> >This looks like a direct port of cordova-android commit #07439ff9 to
> >InAppBrowser.
> >
> >The actual setting controls whether file:///* urls are allowed to execute
> >JavaScript from any context; it is usually false for browsers (at least
> >Chrome) for security reasons. We turn it on for the main Cordova WebView,
> >since (presumably) the developer has full control over what URLs can be
> >loaded into that space. InAppBrowser is meant to be more like a regular
> >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that
> >up.
> >
> >There is probably a good case to be made for allowing this -- certainly
> >not
> >as the default setting, but as an option that the app can set in specific
> >cases when it knows that the IAB is only going to be used for local
> >content, and won't be executing arbitrary scripts.
> >
> >Ian
> >
> >
> >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com> wrote:
> >
> >> I'll let the Android devs comment on this more - seems like an easy
> >>patch
> >> but the question is more of a policy thing, whether we want it in there
> >>at
> >> all. If anything, it would be an InAppBrowser option.
> >>
> >>
> >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com> wrote:
> >>
> >> > Hi All,
> >> >
> >> > We ran into this issue with the InAppBrowser with local URLs, happens
> >>on
> >> > JellyBean only.
> >> >
> >> >
> >> > https://issues.apache.org/jira/browse/CB-4083
> >> >
> >> >
> >> > The fix is suggested in the comments if @Shazron or others can take a
> >> > look.
> >> >
> >> >
> >> > So far we have been patching it on our side and would like customers
> >>to
> >> > use the default Cordova plugin.
> >> >
> >> > Thanks
> >> >
> >> > Raman
> >> >
> >> >
> >>
>
>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

["Pridham, Marcus" <ma...@sap.com>]

Fair enough.  How about adding the following option on Android?

allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running in
the context of a file scheme to be allowed to access content from any
origin.

Eg.
window.open('iab.html', '_blank',
'location=no,toolbar=no,allowuniversalaccessfromfile =yes');



On 8/27/13 10:57 AM, "Ian Clelland" <ic...@chromium.org> wrote:

>This looks like a direct port of cordova-android commit #07439ff9 to
>InAppBrowser.
>
>The actual setting controls whether file:///* urls are allowed to execute
>JavaScript from any context; it is usually false for browsers (at least
>Chrome) for security reasons. We turn it on for the main Cordova WebView,
>since (presumably) the developer has full control over what URLs can be
>loaded into that space. InAppBrowser is meant to be more like a regular
>browser view, (i.e. no Cordova APIs), so we haven't chosen to open that
>up.
>
>There is probably a good case to be made for allowing this -- certainly
>not
>as the default setting, but as an option that the app can set in specific
>cases when it knows that the IAB is only going to be used for local
>content, and won't be executing arbitrary scripts.
>
>Ian
>
>
>On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com> wrote:
>
>> I'll let the Android devs comment on this more - seems like an easy
>>patch
>> but the question is more of a policy thing, whether we want it in there
>>at
>> all. If anything, it would be an InAppBrowser option.
>>
>>
>> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com> wrote:
>>
>> > Hi All,
>> >
>> > We ran into this issue with the InAppBrowser with local URLs, happens
>>on
>> > JellyBean only.
>> >
>> >
>> > https://issues.apache.org/jira/browse/CB-4083
>> >
>> >
>> > The fix is suggested in the comments if @Shazron or others can take a
>> > look.
>> >
>> >
>> > So far we have been patching it on our side and would like customers
>>to
>> > use the default Cordova plugin.
>> >
>> > Thanks
>> >
>> > Raman
>> >
>> >
>>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[Ian Clelland <ic...@chromium.org>]

This looks like a direct port of cordova-android commit #07439ff9 to
InAppBrowser.

The actual setting controls whether file:///* urls are allowed to execute
JavaScript from any context; it is usually false for browsers (at least
Chrome) for security reasons. We turn it on for the main Cordova WebView,
since (presumably) the developer has full control over what URLs can be
loaded into that space. InAppBrowser is meant to be more like a regular
browser view, (i.e. no Cordova APIs), so we haven't chosen to open that up.

There is probably a good case to be made for allowing this -- certainly not
as the default setting, but as an option that the app can set in specific
cases when it knows that the IAB is only going to be used for local
content, and won't be executing arbitrary scripts.

Ian


On Mon, Aug 26, 2013 at 10:56 PM, Shazron <sh...@gmail.com> wrote:

> I'll let the Android devs comment on this more - seems like an easy patch
> but the question is more of a policy thing, whether we want it in there at
> all. If anything, it would be an InAppBrowser option.
>
>
> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com> wrote:
>
> > Hi All,
> >
> > We ran into this issue with the InAppBrowser with local URLs, happens on
> > JellyBean only.
> >
> >
> > https://issues.apache.org/jira/browse/CB-4083
> >
> >
> > The fix is suggested in the comments if @Shazron or others can take a
> > look.
> >
> >
> > So far we have been patching it on our side and would like customers to
> > use the default Cordova plugin.
> >
> > Thanks
> >
> > Raman
> >
> >
>

Re: Android InAppBrowser with local file blocks XHR on Android 4.1

[Shazron <sh...@gmail.com>]

I'll let the Android devs comment on this more - seems like an easy patch
but the question is more of a policy thing, whether we want it in there at
all. If anything, it would be an InAppBrowser option.


On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra...@sap.com> wrote:

> Hi All,
>
> We ran into this issue with the InAppBrowser with local URLs, happens on
> JellyBean only.
>
>
> https://issues.apache.org/jira/browse/CB-4083
>
>
> The fix is suggested in the comments if @Shazron or others can take a
> look.
>
>
> So far we have been patching it on our side and would like customers to
> use the default Cordova plugin.
>
> Thanks
>
> Raman
>
>