[
https://issues.apache.org/jira/browse/CB-2099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13782045#comment-13782045
]
Joe Bowser commented on CB-2099:
--------------------------------
Ignore that part of the bug, that's actually working as intended.
The bug is that if you have an image tag or a script tag that references an
external site that's not whitelisted, it should return an empty document.
However, instead of doing this, it pulls the files that were not whitelisted.
This means that on Android 2.3, if you insert a script tag in the app somehow,
we don't have a way to stop that JS from being executed. This is actually
really important, since developers have to know to sanitize any inputs that
will be rendered in the application.
> Android whitelisting only blocks documents, not resources
> ---------------------------------------------------------
>
> Key: CB-2099
> URL: https://issues.apache.org/jira/browse/CB-2099
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 2.2.0
> Reporter: manjula fernando
> Assignee: Mike Sierra
>
> The Domain Whitelisting in Android works only for the href links, but not for
> the embedded resources (images, javascripts). If link is not whitelisted it
> gets opened in a new instance of native browser rather than blocking it
> completely. But in iOS it blocks all non-whitelisted domains. Please let me
> know whether this is the expected behavior in whitelisting for Android?. If
> so, has this been identified as a known issue and planning to be fixed in
> future release? Appreciate your early response on this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
