On Thu, Aug 29, 2013 at 10:31 AM, David Kemp <drk...@google.com> wrote:
> Since I can open a file:// resource that contains http:// pages, the > restriction should not be based on what the IAB was opened with, but what > it is currently open with. > > example: > open file://index.html (contains a link to http://badplace.org) > click the link (now at http://badplace.org) > reference some arbitrary file:// resource > That should still fail; I belive that the Android WebView setting only comes into effect when the source of the request is a file:/// URL. Automatically setting it based on the original URL is an interesting idea. I think, though, that there are probably use cases for opening an IAB on a file:/// URL where you *shouldn't* by default allow access to everything. Maybe the application is caching resources for offline use, which aren't necessarily trusted. I'm in favour of adding an option to window.open. "allowuniversalaccessfromfile=yes" is a bit wordy, though, and looks *very* android-specific. Ian > > > On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <agri...@chromium.org > >wrote: > > > How about enabling the setting when the IAB is opened with a file:/// > URL? > > I think the security concern would come when it's opened with a malicious > > http:/// URL that then navigated to a file:/// URL. > > > > > > On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus < > marcus.prid...@sap.com > > >wrote: > > > > > Fair enough. How about adding the following option on Android? > > > > > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript running > > in > > > the context of a file scheme to be allowed to access content from any > > > origin. > > > > > > Eg. > > > window.open('iab.html', '_blank', > > > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes'); > > > > > > > > > > > > On 8/27/13 10:57 AM, "Ian Clelland" <iclell...@chromium.org> wrote: > > > > > > >This looks like a direct port of cordova-android commit #07439ff9 to > > > >InAppBrowser. > > > > > > > >The actual setting controls whether file:///* urls are allowed to > > execute > > > >JavaScript from any context; it is usually false for browsers (at > least > > > >Chrome) for security reasons. We turn it on for the main Cordova > > WebView, > > > >since (presumably) the developer has full control over what URLs can > be > > > >loaded into that space. InAppBrowser is meant to be more like a > regular > > > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open > that > > > >up. > > > > > > > >There is probably a good case to be made for allowing this -- > certainly > > > >not > > > >as the default setting, but as an option that the app can set in > > specific > > > >cases when it knows that the IAB is only going to be used for local > > > >content, and won't be executing arbitrary scripts. > > > > > > > >Ian > > > > > > > > > > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <shaz...@gmail.com> wrote: > > > > > > > >> I'll let the Android devs comment on this more - seems like an easy > > > >>patch > > > >> but the question is more of a policy thing, whether we want it in > > there > > > >>at > > > >> all. If anything, it would be an InAppBrowser option. > > > >> > > > >> > > > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <ra.se...@sap.com> > > wrote: > > > >> > > > >> > Hi All, > > > >> > > > > >> > We ran into this issue with the InAppBrowser with local URLs, > > happens > > > >>on > > > >> > JellyBean only. > > > >> > > > > >> > > > > >> > https://issues.apache.org/jira/browse/CB-4083 > > > >> > > > > >> > > > > >> > The fix is suggested in the comments if @Shazron or others can > take > > a > > > >> > look. > > > >> > > > > >> > > > > >> > So far we have been patching it on our side and would like > customers > > > >>to > > > >> > use the default Cordova plugin. > > > >> > > > > >> > Thanks > > > >> > > > > >> > Raman > > > >> > > > > >> > > > > >> > > > > > > > > >