[
https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481182#comment-13481182
]
Kevin Hawkins commented on CB-1695:
-----------------------------------
Ah, I was mistakenly trying to piggyback on the view controller identification
that's ultimately driven by the setting of the 'vc' HTTP header in
cordova.exec. Yeah, that's not going to work for arbitrary requests, only
Cordova bridge calls.
Perhaps the solution, in my case anyway, is to push my own NSURLProtocol class
on top of the stack, and use an out-of-band identification technique to handle
the non-Cordova requests. But I'll try to brainstorm a way that such a process
could be encapsulated within Cordova, as that would be ideal. My first thought
was around subclassing UIWebView, but Apple says, "Don't do that."
> [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view
> controllers/requests
> -----------------------------------------------------------------------------------------
>
> Key: CB-1695
> URL: https://issues.apache.org/jira/browse/CB-1695
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS
> Affects Versions: 2.2.0
> Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit
> ef67dcf7bce56c69299bb89ab16c1803d0edd895
> Reporter: Kevin Hawkins
> Assignee: Shazron Abdullah
>
> Registered NSURLProtocol objects respond to NSURLRequests across an
> application. As such, CDVURLProtocol handles all requests that would pass
> through any UIWebView in the application, and applies Cordova's whitelist
> rules accordingly to each http(s) request.
> This is an unreasonable overreach of authority, in an app where Cordova is
> only one component of the app. Consider the case where I have my own
> UIWebView (think ChildBrowser), and I want to load arbitrary web content.
> This web content has no access to the Cordova sandbox on the device, and as
> such should not be subject to the security restrictions that limit requests
> to whitelisted/trusted hosts.
> The logic in [CDVURLProtocol canInitWithRequest:] that validates the view
> controller against the global CDVViewController registry, for /!gap_exec
> calls, should be extended to make the same check against http(s) calls, and
> allow them without whitelist comparison for requests that originate outside
> of any registered CDVViewController instances.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
