cordova.js goes in you <head>. I don't see how an iframe could get loaded before it.
On Fri, Jan 31, 2014 at 2:08 PM, Martin Georgiev <[email protected]>wrote: > On Fri, Jan 31, 2014 at 1:01 PM, Andrew Grieve <[email protected]> > wrote: > > I don't think there's a chicken and egg problem: > > State 0 - Native has no token, JS has no token > > State 1 - JS in main frame include cordova.js > > State 2 - JS in main frame generates a token, and provides it to native > > State 3 - Native, not already having a token, accepts it and saves it. > > > > Now both JS and native have the same token in memory without needing to > go > > through localstorage. > > I read the above as: > > State 0 - Native has no token, JS has no token > State 1 - JS in iframe include a modified cordova.js > State 2 - JS in iframe generates a token, and provides it to native. > State 2' - Due to frame confusion in some configurations the token is > visible to anyone. > State 3 - Native, not already having a token, accepts it and saves it. > > Now both JS (both originator and attacker, any pretty much anyone who > wanted it) and native have the same token in memory without needing to > go through localstorage. >
