You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Ian Clelland (JIRA)" <ji...@apache.org> on 2014/11/04 19:32:36 UTC

[jira] [Reopened] (CB-7758) Support for content:// URIs

     [ https://issues.apache.org/jira/browse/CB-7758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ian Clelland reopened CB-7758:
------------------------------
      Assignee: Ian Clelland

Thinking some more about this, I think that we may have to change the way we're doing it. This solution opens up a potential security hole, where an app could be targeted specifically by malware which creates a content provider with the same root package name as the app, and is therefore granted access to the bridge.

On the 4.x branch, I've merged the bridge access logic with the navigation logic (if you can navigate the webview to a page, then the page should have access to the bridge). I think we should do something similar here, and check the config whitelist before granting access.

It would mean that you have to grant access to the content urls in config.xml:

{code}
<access src="content://com.ionicframework.ionicapp.jsHybugger/*" />
<access src="content://com.ionicframework.ionicapp.myProvider/*" />
{code}

but you probably need that anyway to support using those pages within an app.

Would that work for you?

> Support for content:// URIs
> ---------------------------
>
>                 Key: CB-7758
>                 URL: https://issues.apache.org/jira/browse/CB-7758
>             Project: Apache Cordova
>          Issue Type: New Feature
>          Components: Android
>    Affects Versions: 3.6.0
>         Environment: Android 4.3
>            Reporter: Wolfgang Flohr-Hochbichler
>            Assignee: Ian Clelland
>            Priority: Minor
>
> Device ready event is not fired if page is loaded via content:// protocol. 
> I assume it has something to do with a security check done within CordovaBridge.java which triggers the following gap_init error message.
> 10-09 10:10:18.071 16719 16719 E CordovaBridge: gap_init called from restricted origin: content://com.ionicframework.ionicapp795549.jsHybugger/file:///android_asset/www/index.html#/tab/dash
> 10-09 10:10:23.075 16719 16719 D CordovaLog: content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js: Line 112 : deviceready has not fired after 5 seconds.
> 10-09 10:10:23.075 16719 16719 I Web Console: deviceready has not fired after 5 seconds. at content://com.ionicframework.ionicapp795549.jsHybugger/jshybugger.js:112



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org