[Android] InAppBrowser and URI whitelisting

[Joe Bowser <bo...@gmail.com>]

Hey

I was looking at CB-8180, and I'm wondering what the correct behaviour for
intents being launched from URIs should be for an InAppBrowser.  Should
these have free reign to open whatever, or should they also be bound by the
rules of the whitelist?

What do people think?

Joe

Re: [Android] InAppBrowser and URI whitelisting

[Andrew Grieve <ag...@chromium.org>]

Yeah, that does sound messed up :S.

Perhaps IAB should be restricted to network & intent whitelists? With CSP,
our basic guidance is to allow full network access and restrict via CSP
anyways.

On Fri, Apr 24, 2015 at 7:48 PM, Joe Bowser <bo...@gmail.com> wrote:

> So, since we make this Category.BROWSABLE, we can safely say that this is
> working as intended and close it? :P
>
> I disagree about not restricting it to the intent whitelist, because that
> sounds messed up that we wouldn't let an app, with the trusted content run
> an intent, but we'd let untrusted content run one.
>
> On Fri, Apr 24, 2015 at 4:38 PM Andrew Grieve <ag...@chromium.org>
> wrote:
>
> > The browser allows any intents, but attaches Category.BROWSABLE to the
> > intents, which is supposed to make them safe.
> > We don't restrict the IAB to the network whitelist, so it follows
> (maybe?)
> > that we wouldn't restrict it to the intent whitelist.
> >
> > On Fri, Apr 24, 2015 at 6:06 PM, Jesse <pu...@gmail.com> wrote:
> >
> > > What does the browser do? That's what the InAppBrowser should do ...
> > >
> > > It may also make sense to allow the host cordova app decide whether or
> > not
> > > to allow it.
> > > Presumably the host app could allow all intents, but not want to extend
> > > that to it's InAppBrowser control, or allow some intents for some
> domains
> > > ... based on their own logic ...
> > > Ideally, I think this should be a user problem, ie. give the app
> > developer
> > > a chance to intercept the request, and if they don't just perform the
> > > default browser behaviour.
> > >
> > >
> > >
> > >
> > >
> > > @purplecabbage
> > > risingj.com
> > >
> > > On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bo...@gmail.com> wrote:
> > >
> > > > Hey
> > > >
> > > > I was looking at CB-8180, and I'm wondering what the correct
> behaviour
> > > for
> > > > intents being launched from URIs should be for an InAppBrowser.
> Should
> > > > these have free reign to open whatever, or should they also be bound
> by
> > > the
> > > > rules of the whitelist?
> > > >
> > > > What do people think?
> > > >
> > > > Joe
> > > >
> > >
> >
>

Re: [Android] InAppBrowser and URI whitelisting

[Joe Bowser <bo...@gmail.com>]

So, since we make this Category.BROWSABLE, we can safely say that this is
working as intended and close it? :P

I disagree about not restricting it to the intent whitelist, because that
sounds messed up that we wouldn't let an app, with the trusted content run
an intent, but we'd let untrusted content run one.

On Fri, Apr 24, 2015 at 4:38 PM Andrew Grieve <ag...@chromium.org> wrote:

> The browser allows any intents, but attaches Category.BROWSABLE to the
> intents, which is supposed to make them safe.
> We don't restrict the IAB to the network whitelist, so it follows (maybe?)
> that we wouldn't restrict it to the intent whitelist.
>
> On Fri, Apr 24, 2015 at 6:06 PM, Jesse <pu...@gmail.com> wrote:
>
> > What does the browser do? That's what the InAppBrowser should do ...
> >
> > It may also make sense to allow the host cordova app decide whether or
> not
> > to allow it.
> > Presumably the host app could allow all intents, but not want to extend
> > that to it's InAppBrowser control, or allow some intents for some domains
> > ... based on their own logic ...
> > Ideally, I think this should be a user problem, ie. give the app
> developer
> > a chance to intercept the request, and if they don't just perform the
> > default browser behaviour.
> >
> >
> >
> >
> >
> > @purplecabbage
> > risingj.com
> >
> > On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bo...@gmail.com> wrote:
> >
> > > Hey
> > >
> > > I was looking at CB-8180, and I'm wondering what the correct behaviour
> > for
> > > intents being launched from URIs should be for an InAppBrowser.  Should
> > > these have free reign to open whatever, or should they also be bound by
> > the
> > > rules of the whitelist?
> > >
> > > What do people think?
> > >
> > > Joe
> > >
> >
>

Re: [Android] InAppBrowser and URI whitelisting

[Andrew Grieve <ag...@chromium.org>]

The browser allows any intents, but attaches Category.BROWSABLE to the
intents, which is supposed to make them safe.
We don't restrict the IAB to the network whitelist, so it follows (maybe?)
that we wouldn't restrict it to the intent whitelist.

On Fri, Apr 24, 2015 at 6:06 PM, Jesse <pu...@gmail.com> wrote:

> What does the browser do? That's what the InAppBrowser should do ...
>
> It may also make sense to allow the host cordova app decide whether or not
> to allow it.
> Presumably the host app could allow all intents, but not want to extend
> that to it's InAppBrowser control, or allow some intents for some domains
> ... based on their own logic ...
> Ideally, I think this should be a user problem, ie. give the app developer
> a chance to intercept the request, and if they don't just perform the
> default browser behaviour.
>
>
>
>
>
> @purplecabbage
> risingj.com
>
> On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bo...@gmail.com> wrote:
>
> > Hey
> >
> > I was looking at CB-8180, and I'm wondering what the correct behaviour
> for
> > intents being launched from URIs should be for an InAppBrowser.  Should
> > these have free reign to open whatever, or should they also be bound by
> the
> > rules of the whitelist?
> >
> > What do people think?
> >
> > Joe
> >
>

Re: [Android] InAppBrowser and URI whitelisting

[Jesse <pu...@gmail.com>]

What does the browser do? That's what the InAppBrowser should do ...

It may also make sense to allow the host cordova app decide whether or not
to allow it.
Presumably the host app could allow all intents, but not want to extend
that to it's InAppBrowser control, or allow some intents for some domains
... based on their own logic ...
Ideally, I think this should be a user problem, ie. give the app developer
a chance to intercept the request, and if they don't just perform the
default browser behaviour.





@purplecabbage
risingj.com

On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bo...@gmail.com> wrote:

> Hey
>
> I was looking at CB-8180, and I'm wondering what the correct behaviour for
> intents being launched from URIs should be for an InAppBrowser.  Should
> these have free reign to open whatever, or should they also be bound by the
> rules of the whitelist?
>
> What do people think?
>
> Joe
>