[ https://issues.apache.org/jira/browse/CB-11868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jesse MacFadyen resolved CB-11868. ---------------------------------- Resolution: Not A Problem > inappbrowser overrides window.open and doesn't follow allow-intent and > allow-navigation restrictions > ---------------------------------------------------------------------------------------------------- > > Key: CB-11868 > URL: https://issues.apache.org/jira/browse/CB-11868 > Project: Apache Cordova > Issue Type: Bug > Components: Plugin InAppBrowser > Affects Versions: 3.5.0 > Environment: android > Reporter: Mladen Petrovic > Priority: Critical > Labels: security > > InappBrowser doesn't follow allow-intent and allow-navigation meta tags only > in Android. > It also overrides default window.open(uri, '_self'); > So when i allow only some urls to be allowed like this: > <allow-navigation href="http://google.com/" /> > <allow-intent href="http://google.com" /> > I can successfully open yahoo.com via window.open('yahoo.com', '_self'); > But if i remove inappBrowser plugin they it follow restriction and will only > open google.com > This happens only in Android, not in iOS. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org