You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by "Antony Lees (JIRA)" <ji...@apache.org> on 2012/10/02 17:01:07 UTC
[jira] [Created] (CB-1572) Whitelisting not enforced in unsigned
Android app
Antony Lees created CB-1572:
-------------------------------
Summary: Whitelisting not enforced in unsigned Android app
Key: CB-1572
URL: https://issues.apache.org/jira/browse/CB-1572
Project: Apache Cordova
Issue Type: Bug
Components: Android
Affects Versions: 2.1.0
Environment: Android 2.3 and 4.1
Reporter: Antony Lees
Assignee: Joe Bowser
Priority: Minor
The config.xml allows non-whitelisted URLs to be accessed before the app is signed. So, for example, if I whitelist only localhost
<access origin="http://127.0.0.1*"/> <!-- allow local pages -->
but then attempt to open a iframe with http://google.com, the iframe will be displayed from an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin directory)
As soon as the .apk is exported and signed, the whitelist is enforced and the iframe will not display as expected
Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT signed. As soon as I export it in Eclipse, which signs it, the whitelist is enforced
This makes debugging difficult as the only way to check the whitelist is to export the app and install the signed .apk
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CB-1572) Whitelisting not enforced in unsigned
Android app
Posted by "Simon MacDonald (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CB-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon MacDonald resolved CB-1572.
---------------------------------
Resolution: Duplicate
Fix Version/s: 2.2.0
I believe this is a duplicate of CB-1564
> Whitelisting not enforced in unsigned Android app
> -------------------------------------------------
>
> Key: CB-1572
> URL: https://issues.apache.org/jira/browse/CB-1572
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.1.0
> Environment: Android 2.3 and 4.1
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Priority: Minor
> Fix For: 2.2.0
>
>
> The config.xml allows non-whitelisted URLs to be accessed before the app is signed. So, for example, if I whitelist only localhost
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> but then attempt to open a iframe with http://google.com, the iframe will be displayed from an unsigned .apk (either by running from Eclipse or by installed the .apk from the /bin directory)
> As soon as the .apk is exported and signed, the whitelist is enforced and the iframe will not display as expected
> Just to reiterate - the exact same code and whitelist is not enforced if the app is NOT signed. As soon as I export it in Eclipse, which signs it, the whitelist is enforced
> This makes debugging difficult as the only way to check the whitelist is to export the app and install the signed .apk
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira