[
https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481475#comment-13481475
]
Kevin Hawkins commented on CB-1695:
-----------------------------------
The problem with this approach is that the user agent setting could be
overridden by anyone. And to tip my hand a little, anyone would be me, who's
already doing it. ;-) But less selfishly, I've found that it's one of those
properties that's already somewhat saturated in its overridden use, since it
represents the easiest "standard" way to get data about your app back to a
service endpoint, through a web request.
Brainstorming it a bit more, this actually seems like a good candidate for
objc_setAssociatedObject() and objc_getAssociatedObject()
(http://developer.apple.com/library/ios/#documentation/cocoa/conceptual/objectivec/chapters/ocAssociativeReferences.html),
which allows you to set and retrieve additional properties on existing
objects, without modifying their definition. We could simply set a BOOL
property (or equivalent) on a Cordova-created UIWebView, indicating that it
belongs to Cordova. We'd then use that as an additional differentiator in
CDVURLProtocol to determine whether or not to apply security checks on http(s)
requests. It's been available since iOS 3.1, so we're safe there. What do you
think?
> [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view
> controllers/requests
> -----------------------------------------------------------------------------------------
>
> Key: CB-1695
> URL: https://issues.apache.org/jira/browse/CB-1695
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS
> Affects Versions: 2.2.0
> Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit
> ef67dcf7bce56c69299bb89ab16c1803d0edd895
> Reporter: Kevin Hawkins
> Assignee: Shazron Abdullah
> Fix For: 2.3.0
>
>
> Registered NSURLProtocol objects respond to NSURLRequests across an
> application. As such, CDVURLProtocol handles all requests that would pass
> through any UIWebView in the application, and applies Cordova's whitelist
> rules accordingly to each http(s) request.
> This is an unreasonable overreach of authority, in an app where Cordova is
> only one component of the app. Consider the case where I have my own
> UIWebView (think ChildBrowser), and I want to load arbitrary web content.
> This web content has no access to the Cordova sandbox on the device, and as
> such should not be subject to the security restrictions that limit requests
> to whitelisted/trusted hosts.
> The logic in [CDVURLProtocol canInitWithRequest:] that validates the view
> controller against the global CDVViewController registry, for /!gap_exec
> calls, should be extended to make the same check against http(s) calls, and
> allow them without whitelist comparison for requests that originate outside
> of any registered CDVViewController instances.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
