[
https://issues.apache.org/jira/browse/CB-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simon MacDonald resolved CB-1572.
---------------------------------
Resolution: Duplicate
Fix Version/s: 2.2.0
I believe this is a duplicate of CB-1564
> Whitelisting not enforced in unsigned Android app
> -------------------------------------------------
>
> Key: CB-1572
> URL: https://issues.apache.org/jira/browse/CB-1572
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.1.0
> Environment: Android 2.3 and 4.1
> Reporter: Antony Lees
> Assignee: Joe Bowser
> Priority: Minor
> Fix For: 2.2.0
>
>
> The config.xml allows non-whitelisted URLs to be accessed before the app is
> signed. So, for example, if I whitelist only localhost
> <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
> but then attempt to open a iframe with http://google.com, the iframe will be
> displayed from an unsigned .apk (either by running from Eclipse or by
> installed the .apk from the /bin directory)
> As soon as the .apk is exported and signed, the whitelist is enforced and the
> iframe will not display as expected
> Just to reiterate - the exact same code and whitelist is not enforced if the
> app is NOT signed. As soon as I export it in Eclipse, which signs it, the
> whitelist is enforced
> This makes debugging difficult as the only way to check the whitelist is to
> export the app and install the signed .apk
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
