You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2021/02/26 12:38:42 UTC

[GitHub] [cordova-ios] sdemir60 opened a new issue #1086: Can the hostname be set at runtime?

sdemir60 opened a new issue #1086:
URL: https://github.com/apache/cordova-ios/issues/1086


   Our users set their server addresses themselves from our application. It connects to the servers of its own company. Can the hostname be set at runtime?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-ios] breautek commented on issue #1086: Can the hostname be set at runtime?

Posted by GitBox <gi...@apache.org>.
breautek commented on issue #1086:
URL: https://github.com/apache/cordova-ios/issues/1086#issuecomment-786651866


   No. Servers must be allow list ahead of time and cannot be changed during runtime. 
   
   ## Why?
   
   In the event of a malicious code execution, the allow list will prevent data from being sent to their malicious servers, assuming the allow list is configured as restrictive as possible.
   
   If the app could change the allow list during runtime, it will break this damage mitigation as the malicious actor could then simply update the allow list themselves.
   
   ## Most Ideal Scenario
   
   I obviously have no clue about your product or infrastructure, but I'll explain a workaround that, in my opinion would be the most secure way of dealing with your issue. This may or may not be possible for your project for a number of different reasons, cause I'll be making a number of assumptions.
   
   Firstly, you could just open the gates by allowing any and all servers to communicate with your app, but for reasons above this would not be recommended.
   
   The app should communicate with a single server, which is a proxy server which will then communicate with your clients server address. This shouldn't be configurable from the app itself but through a web portal. The app can then white list your proxy server, and your proxy server should only allow requests to be made on the behalf of the client to what they have configured.
   
   In this configuration, should the app be vulnerable to remote code execution, the damage mitigation haven't been defeated as the app can only communicate with the proxy server and the proxy server should only allow client to communicate with their configured server. This also has the added benefit that you can configure CORS properly and not have to worry about your clients implementing CORS wrong.
   
   Disclaimer: I'm not a security engineer.
   
   Because this isn't a bug, I'll be closing this issue. If you would like to discuss more on this subject, our [Slack](http://slack.cordova.io/) community can probably help.
   
   Cheers,
   Norman


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-ios] breautek closed issue #1086: Can the hostname be set at runtime?

Posted by GitBox <gi...@apache.org>.
breautek closed issue #1086:
URL: https://github.com/apache/cordova-ios/issues/1086


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org