Yeah, that does sound messed up :S. Perhaps IAB should be restricted to network & intent whitelists? With CSP, our basic guidance is to allow full network access and restrict via CSP anyways.
On Fri, Apr 24, 2015 at 7:48 PM, Joe Bowser <bows...@gmail.com> wrote: > So, since we make this Category.BROWSABLE, we can safely say that this is > working as intended and close it? :P > > I disagree about not restricting it to the intent whitelist, because that > sounds messed up that we wouldn't let an app, with the trusted content run > an intent, but we'd let untrusted content run one. > > On Fri, Apr 24, 2015 at 4:38 PM Andrew Grieve <agri...@chromium.org> > wrote: > > > The browser allows any intents, but attaches Category.BROWSABLE to the > > intents, which is supposed to make them safe. > > We don't restrict the IAB to the network whitelist, so it follows > (maybe?) > > that we wouldn't restrict it to the intent whitelist. > > > > On Fri, Apr 24, 2015 at 6:06 PM, Jesse <purplecabb...@gmail.com> wrote: > > > > > What does the browser do? That's what the InAppBrowser should do ... > > > > > > It may also make sense to allow the host cordova app decide whether or > > not > > > to allow it. > > > Presumably the host app could allow all intents, but not want to extend > > > that to it's InAppBrowser control, or allow some intents for some > domains > > > ... based on their own logic ... > > > Ideally, I think this should be a user problem, ie. give the app > > developer > > > a chance to intercept the request, and if they don't just perform the > > > default browser behaviour. > > > > > > > > > > > > > > > > > > @purplecabbage > > > risingj.com > > > > > > On Fri, Apr 24, 2015 at 2:34 PM, Joe Bowser <bows...@gmail.com> wrote: > > > > > > > Hey > > > > > > > > I was looking at CB-8180, and I'm wondering what the correct > behaviour > > > for > > > > intents being launched from URIs should be for an InAppBrowser. > Should > > > > these have free reign to open whatever, or should they also be bound > by > > > the > > > > rules of the whitelist? > > > > > > > > What do people think? > > > > > > > > Joe > > > > > > > > > >