Kevin Hawkins created CB-1695:
---------------------------------
Summary: [iOS]: CDVURLProtocol should not apply whitelist to
non-Cordova view controllers/requests
Key: CB-1695
URL: https://issues.apache.org/jira/browse/CB-1695
Project: Apache Cordova
Issue Type: Bug
Components: iOS
Affects Versions: 2.2.0
Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit
ef67dcf7bce56c69299bb89ab16c1803d0edd895
Reporter: Kevin Hawkins
Assignee: Shazron Abdullah
Registered NSURLProtocol objects respond to NSURLRequests across an
application. As such, CDVURLProtocol handles all requests that would pass
through any UIWebView in the application, and applies Cordova's whitelist rules
accordingly to each http(s) request.
This is an unreasonable overreach of authority, in an app where Cordova is only
one component of the app. Consider the case where I have my own UIWebView
(think ChildBrowser), and I want to load arbitrary web content. This web
content has no access to the Cordova sandbox on the device, and as such should
not be subject to the security restrictions that limit requests to
whitelisted/trusted hosts.
The logic in [CDVURLProtocol canInitWithRequest:] that validates the view
controller against the global CDVViewController registry, for /!gap_exec calls,
should be extended to make the same check against http(s) calls, and allow them
without whitelist comparison for requests that originate outside of any
registered CDVViewController instances.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
