Thinking about x-platform, iOS always allows this (it has now toggle for it). So maybe that should at least be the default? Is it actually unsafe in any way to just turn this on always?
On Thu, Aug 29, 2013 at 11:38 AM, Ian Clelland <[email protected]>wrote: > On Thu, Aug 29, 2013 at 10:31 AM, David Kemp <[email protected]> wrote: > > > Since I can open a file:// resource that contains http:// pages, the > > restriction should not be based on what the IAB was opened with, but what > > it is currently open with. > > > > example: > > open file://index.html (contains a link to http://badplace.org) > > click the link (now at http://badplace.org) > > reference some arbitrary file:// resource > > > > That should still fail; I belive that the Android WebView setting only > comes into effect when the source of the request is a file:/// URL. > > Automatically setting it based on the original URL is an interesting idea. > I think, though, that there are probably use cases for opening an IAB on a > file:/// URL where you *shouldn't* by default allow access to everything. > Maybe the application is caching resources for offline use, which aren't > necessarily trusted. > > I'm in favour of adding an option to window.open. > "allowuniversalaccessfromfile=yes" > is a bit wordy, though, and looks *very* android-specific. > > Ian > > > > > > > > On Thu, Aug 29, 2013 at 10:14 AM, Andrew Grieve <[email protected] > > >wrote: > > > > > How about enabling the setting when the IAB is opened with a file:/// > > URL? > > > I think the security concern would come when it's opened with a > malicious > > > http:/// URL that then navigated to a file:/// URL. > > > > > > > > > On Wed, Aug 28, 2013 at 12:24 PM, Pridham, Marcus < > > [email protected] > > > >wrote: > > > > > > > Fair enough. How about adding the following option on Android? > > > > > > > > allowuniversalaccessfromfile - set to 'yes' to allow JavaScript > running > > > in > > > > the context of a file scheme to be allowed to access content from any > > > > origin. > > > > > > > > Eg. > > > > window.open('iab.html', '_blank', > > > > 'location=no,toolbar=no,allowuniversalaccessfromfile =yes'); > > > > > > > > > > > > > > > > On 8/27/13 10:57 AM, "Ian Clelland" <[email protected]> wrote: > > > > > > > > >This looks like a direct port of cordova-android commit #07439ff9 to > > > > >InAppBrowser. > > > > > > > > > >The actual setting controls whether file:///* urls are allowed to > > > execute > > > > >JavaScript from any context; it is usually false for browsers (at > > least > > > > >Chrome) for security reasons. We turn it on for the main Cordova > > > WebView, > > > > >since (presumably) the developer has full control over what URLs can > > be > > > > >loaded into that space. InAppBrowser is meant to be more like a > > regular > > > > >browser view, (i.e. no Cordova APIs), so we haven't chosen to open > > that > > > > >up. > > > > > > > > > >There is probably a good case to be made for allowing this -- > > certainly > > > > >not > > > > >as the default setting, but as an option that the app can set in > > > specific > > > > >cases when it knows that the IAB is only going to be used for local > > > > >content, and won't be executing arbitrary scripts. > > > > > > > > > >Ian > > > > > > > > > > > > > > >On Mon, Aug 26, 2013 at 10:56 PM, Shazron <[email protected]> > wrote: > > > > > > > > > >> I'll let the Android devs comment on this more - seems like an > easy > > > > >>patch > > > > >> but the question is more of a policy thing, whether we want it in > > > there > > > > >>at > > > > >> all. If anything, it would be an InAppBrowser option. > > > > >> > > > > >> > > > > >> On Tue, Aug 27, 2013 at 7:02 AM, Sethi, Raman <[email protected]> > > > wrote: > > > > >> > > > > >> > Hi All, > > > > >> > > > > > >> > We ran into this issue with the InAppBrowser with local URLs, > > > happens > > > > >>on > > > > >> > JellyBean only. > > > > >> > > > > > >> > > > > > >> > https://issues.apache.org/jira/browse/CB-4083 > > > > >> > > > > > >> > > > > > >> > The fix is suggested in the comments if @Shazron or others can > > take > > > a > > > > >> > look. > > > > >> > > > > > >> > > > > > >> > So far we have been patching it on our side and would like > > customers > > > > >>to > > > > >> > use the default Cordova plugin. > > > > >> > > > > > >> > Thanks > > > > >> > > > > > >> > Raman > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > > > > >
