On Thu, Dec 5, 2013 at 6:07 AM, <[email protected]> wrote: > Hi, > > I think that this code is wrong: > > https://github.com/apache/cordova-android/blob/master/framework/src/org/apache/cordova/Whitelist.java#L133 > > If the scheme is null then the scheme of the UrlPattern should be null. > The UrlPattern class is coded to handle scheme==null as allow access. > > I think that a missing scheme should be handled as "*://host/path" NOT as " > http://host/path || https://host/path";. >
FWIW, I agree that it's inconsistent with the way that the wildcards are implemented. That logic was present in cordova-android long before I got around to rewriting the whitelist earlier this year. I left it in so as not to change the behaviour for existing apps that just have "example.com" in their whitelist. > > In reality this does not make much difference though... > > -Axel > > Another thing: The definition of the W3C Widget element's access > definition is that if port is missing the default port of the scheme must > be used. > I think that the UrlPattern matcher should know about default ports for > well known schemes... > http://developer.chrome.com/apps/match_patterns.html is what the current whitelist is modeled on (with a couple of exceptions for backwards compatibility). There's nothing specific in that page about ports, though. I think you may be right -- if the user whitelists "http://example.com/*";, he probably isn't intending http://example.com:25/ to be accessible, but http://example.com:80/ should be. In that case, "*://example.com/*" should match all ports, unless restricted like "*://example.com:123/*" Ian
