[
https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481743#comment-13481743
]
Kevin Hawkins commented on CB-1695:
-----------------------------------
Bah, I'm undeterred! ;-) I'll keep mulling and experimenting.
> [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view
> controllers/requests
> -----------------------------------------------------------------------------------------
>
> Key: CB-1695
> URL: https://issues.apache.org/jira/browse/CB-1695
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS
> Affects Versions: 2.2.0
> Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit
> ef67dcf7bce56c69299bb89ab16c1803d0edd895
> Reporter: Kevin Hawkins
> Assignee: Shazron Abdullah
> Fix For: 2.3.0
>
>
> Registered NSURLProtocol objects respond to NSURLRequests across an
> application. As such, CDVURLProtocol handles all requests that would pass
> through any UIWebView in the application, and applies Cordova's whitelist
> rules accordingly to each http(s) request.
> This is an unreasonable overreach of authority, in an app where Cordova is
> only one component of the app. Consider the case where I have my own
> UIWebView (think ChildBrowser), and I want to load arbitrary web content.
> This web content has no access to the Cordova sandbox on the device, and as
> such should not be subject to the security restrictions that limit requests
> to whitelisted/trusted hosts.
> The logic in [CDVURLProtocol canInitWithRequest:] that validates the view
> controller against the global CDVViewController registry, for /!gap_exec
> calls, should be extended to make the same check against http(s) calls, and
> allow them without whitelist comparison for requests that originate outside
> of any registered CDVViewController instances.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
