[
https://issues.apache.org/jira/browse/CB-3576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13867160#comment-13867160
]
Marcel Kinard commented on CB-3576:
-----------------------------------
I had a reason to review this today for someone else that was asking for it in
CordovaWebView who was using Cordova 2.6. On Android, using debuggable="true"
in AndroidManifest.xml will silently enable self-signed certs in the
CordovaWebView. This allows devs to use self-signed certs before production.
(Not sure if the other platforms have something similar.) If this request is to
get InAppBrowser to have the same behavior, then that sounds reasonable. I
don't see an implementation of onReceivedSslError() in Android's InAppBrowser.
However if the request is to have a config that causes the webviews to silently
accept all self-signed certs in production, I don't think that is reasonable.
Otherwise we would be giving you ammunition to shoot yourself in the foot, and
parts that are further up.
I understand this comes up frequently in enterprises. I live everyday in a
large enterprise with a huge intranet. IMHO, if the network is trusted then
just use http. If the network isn't trusted, then using a self-signed cert
opens you up to man-in-the-middle attacks, in which case the communication
isn't secure - it's a misleading use of SSL. If you are serious about security,
spending around US$500 on a CA-signed cert is part of the cost of going into
production.
Andrew's suggestion above about using an interstitial for user confirmation
(non-silent) of self-signed certs to get PC-browser-like behavior may be
reasonable. Anything more silent than that I don't think is reasonable. So I
will change the title of this Jira item to "interstitial". Otherwise I'd be
tempted to close this as "won't implement". I will also open a new related Jira
item to add the same non-production behavior to InAppBrowser as exists in
CordovaWebView.
> Add support for self-signed SSL certficates in InAppBrowser
> -----------------------------------------------------------
>
> Key: CB-3576
> URL: https://issues.apache.org/jira/browse/CB-3576
> Project: Apache Cordova
> Issue Type: Improvement
> Components: Android, iOS, Plugin InAppBrowser
> Affects Versions: 2.7.0, 2.8.0
> Environment: Android and iOS
> Reporter: Montyleena
> Priority: Minor
> Labels: android, https, inappbrowser,, ios, ssl
> Attachments: InAppBrowser.java
>
>
> Local https links are blocked by default in InAppBrowser (links using a local
> SSL certificate which can't be verified by a 3rd party). Ideally, user should
> be given an option to proceed or cancel the request like the default
> desktop/mobile browsers do.
> Right now, we have to overwrite the following API in Android to access such
> URLs but onReceivedSslError() function gets called only for the main PhoneGap
> window browser and not for InAppBrowser.
> Create a new class:
> public class CustomWebViewClient extends CordovaWebViewClient {
>
> public static final String LOG_TAG = "Plugin";
>
> public CustomWebViewClient(DroidGap ctx) {
> super(ctx);
> Log.d(LOG_TAG, "Constructor!");
> }
> @Override
> public void onReceivedSslError(WebView view, SslErrorHandler handler,
> SslError error) {
> handler.proceed();
> }
> }
> In the main class, we use our custom class as a web view client
> CordovaWebViewClient webViewClient = new CustomWebViewClient(this);
> webViewClient.setWebView(this.appView);
> this.appView.setWebViewClient(webViewClient);
> And similar type of code needs to be written for iOS.
> InAppBrowser should pick up the SSL settings from the main web view and once
> we overwrite the onReceivedSslError() function, then it should allow such
> URLs in the InAppBrowser too.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
