[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502029#comment-13502029 ]
Andrew Grieve commented on CB-1695: ----------------------------------- Shaz - I'm a bit worried that this change will slow down the initial app start (having to load an extra webview in serial). Did you measure this? I'm not sure I know a better way, but thought it's worth discussion at least :) One option: First CDVWebView - have no UA change Other UIWebView - append "non-CDV" to the UA by leaving NSUserDefaults set. Subsequent CDVWebViews - have GUID appended (or have them with no UA change, but GUID appended would allow per-webview whitelists) -This won't work unless the Cordova webview is the first webview to be created. -Perhaps there's a way to detect if the app has created its own UIWebView before starting a Cordova one? -E.g. Could go back to requiring the URLProtocol to be registered on app start-up so that it can look for Safari-like UAs passing by. Another option: Have only CDVWebViews have a modified UA, and just cache the UA in our own NSUserDefaults key. -This means slow start at first, but at least faster for other launches -We'll have to invalidate this cached value if the UA ever changes... For OS upgrades for sure, but maybe also for locale changes? Another option: -Maybe there isn't a speed problem :) One other thing I'm thinking about though - Requests made by plugins. -1: We can: have plugins set the user-agent to the WebView's -2: Have plugins explicitly check the whitelist before sending requests. 1: might be safer if we're worried about having the whitelist apply to redirects as well. > [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view > controllers/requests > ----------------------------------------------------------------------------------------- > > Key: CB-1695 > URL: https://issues.apache.org/jira/browse/CB-1695 > Project: Apache Cordova > Issue Type: Bug > Components: iOS > Affects Versions: 2.2.0 > Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit > ef67dcf7bce56c69299bb89ab16c1803d0edd895 > Reporter: Kevin Hawkins > Assignee: Shazron Abdullah > Fix For: 2.3.0 > > > Registered NSURLProtocol objects respond to NSURLRequests across an > application. As such, CDVURLProtocol handles all requests that would pass > through any UIWebView in the application, and applies Cordova's whitelist > rules accordingly to each http(s) request. > This is an unreasonable overreach of authority, in an app where Cordova is > only one component of the app. Consider the case where I have my own > UIWebView (think ChildBrowser), and I want to load arbitrary web content. > This web content has no access to the Cordova sandbox on the device, and as > such should not be subject to the security restrictions that limit requests > to whitelisted/trusted hosts. > The logic in [CDVURLProtocol canInitWithRequest:] that validates the view > controller against the global CDVViewController registry, for /!gap_exec > calls, should be extended to make the same check against http(s) calls, and > allow them without whitelist comparison for requests that originate outside > of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira