You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by "Antony Lees (JIRA)" <ji...@apache.org> on 2012/11/28 23:52:01 UTC
[jira] [Created] (CB-1947) Secure whitelisted URLs not loading in
Android
Antony Lees created CB-1947:
-------------------------------
Summary: Secure whitelisted URLs not loading in Android
Key: CB-1947
URL: https://issues.apache.org/jira/browse/CB-1947
Project: Apache Cordova
Issue Type: Bug
Components: Android
Affects Versions: 2.2.0
Environment: Android 2.3 and 4.2
Reporter: Antony Lees
Assignee: Joe Bowser
Given the config
<access origin="http://127.0.0.1*"/> <!-- allow local pages -->
<access origin="https://mysite.com" subdomains="true"/>
<access origin="http://mysite.com" subdomains="true"/>
I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
Even if I add
<access origin="*"/>
the same thing happens
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506876#comment-13506876 ]
Antony Lees commented on CB-1947:
---------------------------------
Yeah, so the CN = COMODO High-Assurance Secure Server CA
Valid from: Tuesday, February 21, 2012 12:00:00 AM
Valid to: Wednesday, February 20, 2013 11:59:59 PM
So it's been some time since the certificate was issued
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507747#comment-13507747 ]
Joe Bowser commented on CB-1947:
--------------------------------
Do you have a logcat log of this? I'm not able to reproduce this on this end with a regular GeoTrust Cert that I use.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antony Lees updated CB-1947:
----------------------------
Attachment: log.txt
logcat output
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Attachments: log.txt
>
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509122#comment-13509122 ]
Joe Bowser commented on CB-1947:
--------------------------------
Yes, VERBOSE should be good. Either that or can you provide an example of a site with a Comodo cert? I don't have one here.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506029#comment-13506029 ]
Antony Lees commented on CB-1947:
---------------------------------
It's not my site, however from inspecting their certificate I can see it was signed by a CA called COMODO, so they don't appear to be self-signed
Some issue with certificate inspection in production mode then?
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506856#comment-13506856 ]
Joe Bowser commented on CB-1947:
--------------------------------
It was signed by Comodo? When were the certs issued? It's possible that the old Comodo certs were rightfully pulled from Android.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506023#comment-13506023 ]
Joe Bowser commented on CB-1947:
--------------------------------
When you deploy from Eclipse, it still enforces the whitelist. However, if you're using Self-Signed Certificates, Cordova will not load those in production mode. This is intentional, since you should be using real certificates if you're releasing an actual app to the market.
Is this the case with your SSL site?
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510396#comment-13510396 ]
Antony Lees commented on CB-1947:
---------------------------------
I can do both. The site I am trying to use with the Comodo cert is https://tolling.severnbridge.co.uk/account/index.php
I've also attached the logcat output
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Attachments: log.txt
>
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antony Lees updated CB-1947:
----------------------------
Description:
Given the config
<access origin="http://127.0.0.1*"/> <!-- allow local pages -->
<access origin="https://mysite.com" subdomains="true"/>
<access origin="http://mysite.com" subdomains="true"/>
I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
Even if I add
<access origin="*"/>
the same thing happens
I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
was:
Given the config
<access origin="http://127.0.0.1*"/> <!-- allow local pages -->
<access origin="https://mysite.com" subdomains="true"/>
<access origin="http://mysite.com" subdomains="true"/>
I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
Even if I add
<access origin="*"/>
the same thing happens
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Antony Lees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507751#comment-13507751 ]
Antony Lees commented on CB-1947:
---------------------------------
I don't remember seeing much of use in the logcat but I can get one. Would it help to have it at VERBOSE level?
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510957#comment-13510957 ]
Joe Bowser commented on CB-1947:
--------------------------------
BTW: The CordovaWebView adds the SSL version of the site to the whitelist whether you put https or not, so both http and https will work.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Attachments: log.txt
>
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510976#comment-13510976 ]
Joe Bowser commented on CB-1947:
--------------------------------
OK, can you try the one that's not working on a fast connection? Also, you're doing everything right with not mixing the secure and non-secure assets, since having non-secure assets makes it even slower. I think that this may be an Android SSL performance issue, which may mean you have to find some way to hide the iFrame until it loads or use a splashscreen or something.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Attachments: log.txt
>
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1947) Secure whitelisted URLs not loading in
Android
Posted by "Joe Bowser (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510956#comment-13510956 ]
Joe Bowser commented on CB-1947:
--------------------------------
OK, they're loading, but it's REALLY SLOW! Like Eye-Gougingly slow! I have no idea why SSL is so slow, but if your connection sucks I can see why this looks like this won't load.
> Secure whitelisted URLs not loading in Android
> ----------------------------------------------
>
> Key: CB-1947
> URL: https://issues.apache.org/jira/browse/CB-1947
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Environment: Android 2.3 and 4.2
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Attachments: log.txt
>
>
> Given the config
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> <access origin="https://mysite.com" subdomains="true"/>
> <access origin="http://mysite.com" subdomains="true"/>
> I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)
> Even if I add
> <access origin="*"/>
> the same thing happens
> I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira