Since I can open a file:// resource that contains http:// pages, the restriction should not be based on what the IAB was opened with, but what it is currently open with.
example: open file://index.html (contains a link to http://badplace.org) click the link (now at http://badplace.org) reference some arbitrary file:// resource On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <agri...@chromium.org>wrote: > How about enabling the setting when the IAB is opened with a file:/// URL? > I think the security concern would come when it's opened with a malicious > http:/// URL that then navigated to a file:/// URL. > > > On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus <marcus.prid...@sap.com > >wrote: > > > Fair enough. How about adding the following option on Android? > > > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running > in > > the context of a file scheme to be allowed to access content from any > > origin. > > > > Eg. > > window.open('iab.html', '_blank', > > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes'); > > > > > > > > On 8/27/13 10:57 AM, "Ian Clelland" <iclell...@chromium.org> wrote: > > > > >This looks like a direct port of cordova-android commit #07439ff9 to > > >InAppBrowser. > > > > > >The actual setting controls whether file:///* urls are allowed to > execute > > >JavaScript from any context; it is usually false for browsers (at least > > >Chrome) for security reasons. We turn it on for the main Cordova > WebView, > > >since (presumably) the developer has full control over what URLs can be > > >loaded into that space. InAppBrowser is meant to be more like a regular > > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open that > > >up. > > > > > >There is probably a good case to be made for allowing this -- certainly > > >not > > >as the default setting, but as an option that the app can set in > specific > > >cases when it knows that the IAB is only going to be used for local > > >content, and won't be executing arbitrary scripts. > > > > > >Ian > > > > > > > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <shaz...@gmail.com> wrote: > > > > > >> I'll let the Android devs comment on this more - seems like an easy > > >>patch > > >> but the question is more of a policy thing, whether we want it in > there > > >>at > > >> all. If anything, it would be an InAppBrowser option. > > >> > > >> > > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra.se...@sap.com> > wrote: > > >> > > >> > Hi All, > > >> > > > >> > We ran into this issue with the InAppBrowser with local URLs, > happens > > >>on > > >> > JellyBean only. > > >> > > > >> > > > >> > https://issues.apache.org/jira/browse/CB-4083 > > >> > > > >> > > > >> > The fix is suggested in the comments if @Shazron or others can take > a > > >> > look. > > >> > > > >> > > > >> > So far we have been patching it on our side and would like customers > > >>to > > >> > use the default Cordova plugin. > > >> > > > >> > Thanks > > >> > > > >> > Raman > > >> > > > >> > > > >> > > > > >
