[
https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502029#comment-13502029
]
Andrew Grieve commented on CB-1695:
-----------------------------------
Shaz - I'm a bit worried that this change will slow down the initial app start
(having to load an extra webview in serial). Did you measure this?
I'm not sure I know a better way, but thought it's worth discussion at least :)
One option:
First CDVWebView - have no UA change
Other UIWebView - append "non-CDV" to the UA by leaving NSUserDefaults set.
Subsequent CDVWebViews - have GUID appended (or have them with no UA change,
but GUID appended would allow per-webview whitelists)
-This won't work unless the Cordova webview is the first webview to be created.
-Perhaps there's a way to detect if the app has created its own UIWebView
before starting a Cordova one?
-E.g. Could go back to requiring the URLProtocol to be registered on app
start-up so that it can look for Safari-like UAs passing by.
Another option:
Have only CDVWebViews have a modified UA, and just cache the UA in our own
NSUserDefaults key.
-This means slow start at first, but at least faster for other launches
-We'll have to invalidate this cached value if the UA ever changes... For OS
upgrades for sure, but maybe also for locale changes?
Another option:
-Maybe there isn't a speed problem :)
One other thing I'm thinking about though - Requests made by plugins.
-1: We can: have plugins set the user-agent to the WebView's
-2: Have plugins explicitly check the whitelist before sending requests.
1: might be safer if we're worried about having the whitelist apply to
redirects as well.
> [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view
> controllers/requests
> -----------------------------------------------------------------------------------------
>
> Key: CB-1695
> URL: https://issues.apache.org/jira/browse/CB-1695
> Project: Apache Cordova
> Issue Type: Bug
> Components: iOS
> Affects Versions: 2.2.0
> Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit
> ef67dcf7bce56c69299bb89ab16c1803d0edd895
> Reporter: Kevin Hawkins
> Assignee: Shazron Abdullah
> Fix For: 2.3.0
>
>
> Registered NSURLProtocol objects respond to NSURLRequests across an
> application. As such, CDVURLProtocol handles all requests that would pass
> through any UIWebView in the application, and applies Cordova's whitelist
> rules accordingly to each http(s) request.
> This is an unreasonable overreach of authority, in an app where Cordova is
> only one component of the app. Consider the case where I have my own
> UIWebView (think ChildBrowser), and I want to load arbitrary web content.
> This web content has no access to the Cordova sandbox on the device, and as
> such should not be subject to the security restrictions that limit requests
> to whitelisted/trusted hosts.
> The logic in [CDVURLProtocol canInitWithRequest:] that validates the view
> controller against the global CDVViewController registry, for /!gap_exec
> calls, should be extended to make the same check against http(s) calls, and
> allow them without whitelist comparison for requests that originate outside
> of any registered CDVViewController instances.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
