You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Andrew Grieve (JIRA)" <ji...@apache.org> on 2014/07/04 04:15:34 UTC

[jira] [Resolved] (CB-5988) Allow the Android exec() to be used only by 's domain

     [ https://issues.apache.org/jira/browse/CB-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Grieve resolved CB-5988.
-------------------------------

    Resolution: Fixed

Fixed in 3.6.0-dev (might go out as 3.5.1)

> Allow the Android exec() to be used only by <content>'s domain
> --------------------------------------------------------------
>
>                 Key: CB-5988
>                 URL: https://issues.apache.org/jira/browse/CB-5988
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Andrew Grieve
>            Assignee: Andrew Grieve
>
> Discussion: http://markmail.org/thread/yohym3xqomjp4a64
> Add a random number to exec() to increase its security.
> Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).



--
This message was sent by Atlassian JIRA
(v6.2#6252)