You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Andrew Grieve (JIRA)" <ji...@apache.org> on 2014/07/04 04:15:34 UTC
[jira] [Resolved] (CB-5988) Allow the Android exec() to be used
only by 's domain
[ https://issues.apache.org/jira/browse/CB-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Grieve resolved CB-5988.
-------------------------------
Resolution: Fixed
Fixed in 3.6.0-dev (might go out as 3.5.1)
> Allow the Android exec() to be used only by <content>'s domain
> --------------------------------------------------------------
>
> Key: CB-5988
> URL: https://issues.apache.org/jira/browse/CB-5988
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Reporter: Andrew Grieve
> Assignee: Andrew Grieve
>
> Discussion: http://markmail.org/thread/yohym3xqomjp4a64
> Add a random number to exec() to increase its security.
> Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).
--
This message was sent by Atlassian JIRA
(v6.2#6252)