[ https://issues.apache.org/jira/browse/CB-3576?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13867160#comment-13867160 ]
Marcel Kinard commented on CB-3576: ----------------------------------- I had a reason to review this today for someone else that was asking for it in CordovaWebView who was using Cordova 2.6. On Android, using debuggable="true" in AndroidManifest.xml will silently enable self-signed certs in the CordovaWebView. This allows devs to use self-signed certs before production. (Not sure if the other platforms have something similar.) If this request is to get InAppBrowser to have the same behavior, then that sounds reasonable. I don't see an implementation of onReceivedSslError() in Android's InAppBrowser. However if the request is to have a config that causes the webviews to silently accept all self-signed certs in production, I don't think that is reasonable. Otherwise we would be giving you ammunition to shoot yourself in the foot, and parts that are further up. I understand this comes up frequently in enterprises. I live everyday in a large enterprise with a huge intranet. IMHO, if the network is trusted then just use http. If the network isn't trusted, then using a self-signed cert opens you up to man-in-the-middle attacks, in which case the communication isn't secure - it's a misleading use of SSL. If you are serious about security, spending around US$500 on a CA-signed cert is part of the cost of going into production. Andrew's suggestion above about using an interstitial for user confirmation (non-silent) of self-signed certs to get PC-browser-like behavior may be reasonable. Anything more silent than that I don't think is reasonable. So I will change the title of this Jira item to "interstitial". Otherwise I'd be tempted to close this as "won't implement". I will also open a new related Jira item to add the same non-production behavior to InAppBrowser as exists in CordovaWebView. > Add support for self-signed SSL certficates in InAppBrowser > ----------------------------------------------------------- > > Key: CB-3576 > URL: https://issues.apache.org/jira/browse/CB-3576 > Project: Apache Cordova > Issue Type: Improvement > Components: Android, iOS, Plugin InAppBrowser > Affects Versions: 2.7.0, 2.8.0 > Environment: Android and iOS > Reporter: Montyleena > Priority: Minor > Labels: android, https, inappbrowser,, ios, ssl > Attachments: InAppBrowser.java > > > Local https links are blocked by default in InAppBrowser (links using a local > SSL certificate which can't be verified by a 3rd party). Ideally, user should > be given an option to proceed or cancel the request like the default > desktop/mobile browsers do. > Right now, we have to overwrite the following API in Android to access such > URLs but onReceivedSslError() function gets called only for the main PhoneGap > window browser and not for InAppBrowser. > Create a new class: > public class CustomWebViewClient extends CordovaWebViewClient { > > public static final String LOG_TAG = "Plugin"; > > public CustomWebViewClient(DroidGap ctx) { > super(ctx); > Log.d(LOG_TAG, "Constructor!"); > } > @Override > public void onReceivedSslError(WebView view, SslErrorHandler handler, > SslError error) { > handler.proceed(); > } > } > In the main class, we use our custom class as a web view client > CordovaWebViewClient webViewClient = new CustomWebViewClient(this); > webViewClient.setWebView(this.appView); > this.appView.setWebViewClient(webViewClient); > And similar type of code needs to be written for iOS. > InAppBrowser should pick up the SSL settings from the main web view and once > we overwrite the onReceivedSslError() function, then it should allow such > URLs in the InAppBrowser too. -- This message was sent by Atlassian JIRA (v6.1.5#6160)