[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13495898#comment-13495898 ]
Andrew Grieve commented on CB-1695: ----------------------------------- Here's some confirmation that the User-Agent idea will work :) http://stackoverflow.com/questions/12180224/unique-tab-id-appended-to-user-agent-string-in-chrome-for-ios I was concerned about not being able to append to the UA, but I think what we can do is leave the main Cordova UIWebView's UA untouched, and then scrape the UA from it. > [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view > controllers/requests > ----------------------------------------------------------------------------------------- > > Key: CB-1695 > URL: https://issues.apache.org/jira/browse/CB-1695 > Project: Apache Cordova > Issue Type: Bug > Components: iOS > Affects Versions: 2.2.0 > Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit > ef67dcf7bce56c69299bb89ab16c1803d0edd895 > Reporter: Kevin Hawkins > Assignee: Shazron Abdullah > Fix For: 2.3.0 > > > Registered NSURLProtocol objects respond to NSURLRequests across an > application. As such, CDVURLProtocol handles all requests that would pass > through any UIWebView in the application, and applies Cordova's whitelist > rules accordingly to each http(s) request. > This is an unreasonable overreach of authority, in an app where Cordova is > only one component of the app. Consider the case where I have my own > UIWebView (think ChildBrowser), and I want to load arbitrary web content. > This web content has no access to the Cordova sandbox on the device, and as > such should not be subject to the security restrictions that limit requests > to whitelisted/trusted hosts. > The logic in [CDVURLProtocol canInitWithRequest:] that validates the view > controller against the global CDVViewController registry, for /!gap_exec > calls, should be extended to make the same check against http(s) calls, and > allow them without whitelist comparison for requests that originate outside > of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira