Why the js callback and not just the static white-list? the js callback allows someone to change the security rules at runtime which could be a hole I suppose.
On Tue, Jul 23, 2013 at 12:26 PM, Andrew Grieve <[email protected]>wrote: > https://issues.apache.org/jira/browse/CB-3576 > > There are pulls request for adding to iOS & Android that add: > > window.open(url, '_blank', 'location=yes,validatessl=no'); > > > Given that this is security-related though, I wanted to get more eyes on > it. Other proposals are to have each questionable cert go through a JS > callback: > > var iab = window.open(...); > iab.onSSLError = function(url) { > return !!/^https://myalloweddomain.com\//.exec(url); > }; > > Or to add a white-list to your config.xml for allowed self-signed https: > addresses. > > If your app is not going to validate ssl certs, then perhaps restricting > the scope of it isn't really increasing security anyways. It's certainly > useful for development to be able to turn it off, but maybe for that reason > we should turn it off globally with a <preference> tag? > > Thoughts? Willingness from other platforms? >
