[jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13502029#comment-13502029 ] Andrew Grieve commented on CB-1695: --- Shaz - I'm a bit worried that this change will slow down the initial app start (having to load an extra webview in serial). Did you measure this? I'm not sure I know a better way, but thought it's worth discussion at least :) One option: First CDVWebView - have no UA change Other UIWebView - append non-CDV to the UA by leaving NSUserDefaults set. Subsequent CDVWebViews - have GUID appended (or have them with no UA change, but GUID appended would allow per-webview whitelists) -This won't work unless the Cordova webview is the first webview to be created. -Perhaps there's a way to detect if the app has created its own UIWebView before starting a Cordova one? -E.g. Could go back to requiring the URLProtocol to be registered on app start-up so that it can look for Safari-like UAs passing by. Another option: Have only CDVWebViews have a modified UA, and just cache the UA in our own NSUserDefaults key. -This means slow start at first, but at least faster for other launches -We'll have to invalidate this cached value if the UA ever changes... For OS upgrades for sure, but maybe also for locale changes? Another option: -Maybe there isn't a speed problem :) One other thing I'm thinking about though - Requests made by plugins. -1: We can: have plugins set the user-agent to the WebView's -2: Have plugins explicitly check the whitelist before sending requests. 1: might be safer if we're worried about having the whitelist apply to redirects as well. [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests - Key: CB-1695 URL: https://issues.apache.org/jira/browse/CB-1695 Project: Apache Cordova Issue Type: Bug Components: iOS Affects Versions: 2.2.0 Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 Reporter: Kevin Hawkins Assignee: Shazron Abdullah Fix For: 2.3.0 Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13502191#comment-13502191 ] Shazron Abdullah commented on CB-1695: -- I did 5 samples on my iPhone 4S (times in ms): 224, 132, 128, 125, 130 - not too bad I think. I think the second option is better, since we have to think about the case where people are using this as an embedded Cordova WebView, and we can't of course reasonably expect other UIWebView instances by other libraries to modify their UA. Regarding the request by plugins -- good ideas, let's do it. I'll re-factor how I'm doing it so plugins can get the Cordova WebView UA used, as well as cache the UA - with invalidation by iOS version change and locale change. I'll add a separate issue for this. [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests - Key: CB-1695 URL: https://issues.apache.org/jira/browse/CB-1695 Project: Apache Cordova Issue Type: Bug Components: iOS Affects Versions: 2.2.0 Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 Reporter: Kevin Hawkins Assignee: Shazron Abdullah Fix For: 2.3.0 Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13502195#comment-13502195 ] Shazron Abdullah commented on CB-1695: -- Added new related issue CB-1889 [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests - Key: CB-1695 URL: https://issues.apache.org/jira/browse/CB-1695 Project: Apache Cordova Issue Type: Bug Components: iOS Affects Versions: 2.2.0 Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 Reporter: Kevin Hawkins Assignee: Shazron Abdullah Fix For: 2.3.0 Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13501725#comment-13501725 ] Shazron Abdullah commented on CB-1695: -- This needs a further fix. The original Cordova UIWebView needs to have its own unique GUID appended to the User-Agent as well (like the InAppBrowser), if not other uses of a UIWebView will be subject to the white-list as well. [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests - Key: CB-1695 URL: https://issues.apache.org/jira/browse/CB-1695 Project: Apache Cordova Issue Type: Bug Components: iOS Affects Versions: 2.2.0 Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 Reporter: Kevin Hawkins Assignee: Shazron Abdullah Fix For: 2.3.0 Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CB-1695) [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests
[ https://issues.apache.org/jira/browse/CB-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13496674#comment-13496674 ] Shazron Abdullah commented on CB-1695: -- This is great! This would really help with InAppBrowser. [iOS]: CDVURLProtocol should not apply whitelist to non-Cordova view controllers/requests - Key: CB-1695 URL: https://issues.apache.org/jira/browse/CB-1695 Project: Apache Cordova Issue Type: Bug Components: iOS Affects Versions: 2.2.0 Environment: Xcode 4.5 / OS X 10.7.5 (Lion) / Commit ef67dcf7bce56c69299bb89ab16c1803d0edd895 Reporter: Kevin Hawkins Assignee: Shazron Abdullah Fix For: 2.3.0 Registered NSURLProtocol objects respond to NSURLRequests across an application. As such, CDVURLProtocol handles all requests that would pass through any UIWebView in the application, and applies Cordova's whitelist rules accordingly to each http(s) request. This is an unreasonable overreach of authority, in an app where Cordova is only one component of the app. Consider the case where I have my own UIWebView (think ChildBrowser), and I want to load arbitrary web content. This web content has no access to the Cordova sandbox on the device, and as such should not be subject to the security restrictions that limit requests to whitelisted/trusted hosts. The logic in [CDVURLProtocol canInitWithRequest:] that validates the view controller against the global CDVViewController registry, for /!gap_exec calls, should be extended to make the same check against http(s) calls, and allow them without whitelist comparison for requests that originate outside of any registered CDVViewController instances. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
