You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by "Simon MacDonald (JIRA)" <ji...@apache.org> on 2012/10/02 17:03:07 UTC
[jira] [Resolved] (CB-1572) Whitelisting not enforced in unsigned
Android app
[ https://issues.apache.org/jira/browse/CB-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon MacDonald resolved CB-1572.
---------------------------------
Resolution: Duplicate
Fix Version/s: 2.2.0
I believe this is a duplicate of CB-1564
> Whitelisting not enforced in unsigned Android app
> -------------------------------------------------
>
> Key: CB-1572
> URL: https://issues.apache.org/jira/browse/CB-1572
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.1.0
> Environment: Android 2.3 and 4.1
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Priority: Minor
> Fix For: 2.2.0
>
>
> The config.xml allows non-whitelisted URLs to be accessed before the app is signed. So, for example, if I whitelist only localhost
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> but then attempt to open a iframe with http://google.com, the iframe will be displayed from an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin directory)
> As soon as the .apk is exported and signed, the whitelist is enforced and the iframe will not display as expected
> Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT signed. As soon as I export it in Eclipse, which signs it, the whitelist is enforced
> This makes debugging difficult as the only way to check the whitelist is to export the app and install the signed .apk
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira