Antony Lees created CB-1572:
-------------------------------
Summary: Whitelisting not enforced in unsigned Android app
Key: CB-1572
URL: https://issues.apache.org/jira/browse/CB-1572
Project: Apache Cordova
Issue Type: Bug
Components: Android
Affects Versions: 2.1.0
Environment: Android 2.3 and 4.1
Reporter: Antony Lees
Assignee: Joe Bowser
Priority: Minor
The config.xml allows non-whitelisted URLs to be accessed before the app is
signed. So, for example, if I whitelist only localhost
<access origin="http://127.0.0.1*"/> <!-- allow local pages -->
but then attempt to open a iframe with http://google.com, the iframe will be
displayed from an unsigned .apk (either by running from Eclipse or by installed
the .apk from the /bin directory)
As soon as the .apk is exported and signed, the whitelist is enforced and the
iframe will not display as expected
Just to reiterate - the exact same code and whitelist is not enforced if the
app is NOT signed. As soon as I export it in Eclipse, which signs it, the
whitelist is enforced
This makes debugging difficult as the only way to check the whitelist is to
export the app and install the signed .apk
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
