Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-1947

Secure whitelisted URLs not loading in Android

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.2.0
    • Fix Version/s: None
    • Component/s: cordova-android
    • Labels:
      None
    • Environment:

      Android 2.3 and 4.2

      Description

      Given the config
      <access origin="http://127.0.0.1*"/> <!-- allow local pages -->
      <access origin="https://mysite.com" subdomains="true"/>
      <access origin="http://mysite.com" subdomains="true"/>

      I would expect both the http and https sites to load. However only the unsecured http URL will load, the secure https URL shows an HTML error page (it's an iframe)

      Even if I add
      <access origin="*"/>
      the same thing happens

      I should add that if I deploy the app straight from eclipse (ie not signing it) the secure URL works fine, so it is only when the whitelist is enforced that it doesn't seem to work

      1. log.txt
        13 kB
        Antony Lees

        Activity

        Hide
        bowserj Joe Bowser added a comment -

        When you deploy from Eclipse, it still enforces the whitelist. However, if you're using Self-Signed Certificates, Cordova will not load those in production mode. This is intentional, since you should be using real certificates if you're releasing an actual app to the market.

        Is this the case with your SSL site?

        Show
        bowserj Joe Bowser added a comment - When you deploy from Eclipse, it still enforces the whitelist. However, if you're using Self-Signed Certificates, Cordova will not load those in production mode. This is intentional, since you should be using real certificates if you're releasing an actual app to the market. Is this the case with your SSL site?
        Hide
        antonylees Antony Lees added a comment -

        It's not my site, however from inspecting their certificate I can see it was signed by a CA called COMODO, so they don't appear to be self-signed
        Some issue with certificate inspection in production mode then?

        Show
        antonylees Antony Lees added a comment - It's not my site, however from inspecting their certificate I can see it was signed by a CA called COMODO, so they don't appear to be self-signed Some issue with certificate inspection in production mode then?
        Hide
        bowserj Joe Bowser added a comment -

        It was signed by Comodo? When were the certs issued? It's possible that the old Comodo certs were rightfully pulled from Android.

        Show
        bowserj Joe Bowser added a comment - It was signed by Comodo? When were the certs issued? It's possible that the old Comodo certs were rightfully pulled from Android.
        Hide
        antonylees Antony Lees added a comment -

        Yeah, so the CN = COMODO High-Assurance Secure Server CA
        Valid from: ‎Tuesday, ‎February ‎21, ‎2012 12:00:00 AM
        Valid to: ‎Wednesday, ‎February ‎20, ‎2013 11:59:59 PM

        So it's been some time since the certificate was issued

        Show
        antonylees Antony Lees added a comment - Yeah, so the CN = COMODO High-Assurance Secure Server CA Valid from: ‎Tuesday, ‎February ‎21, ‎2012 12:00:00 AM Valid to: ‎Wednesday, ‎February ‎20, ‎2013 11:59:59 PM So it's been some time since the certificate was issued
        Hide
        bowserj Joe Bowser added a comment -

        Do you have a logcat log of this? I'm not able to reproduce this on this end with a regular GeoTrust Cert that I use.

        Show
        bowserj Joe Bowser added a comment - Do you have a logcat log of this? I'm not able to reproduce this on this end with a regular GeoTrust Cert that I use.
        Hide
        antonylees Antony Lees added a comment -

        I don't remember seeing much of use in the logcat but I can get one. Would it help to have it at VERBOSE level?

        Show
        antonylees Antony Lees added a comment - I don't remember seeing much of use in the logcat but I can get one. Would it help to have it at VERBOSE level?
        Hide
        bowserj Joe Bowser added a comment -

        Yes, VERBOSE should be good. Either that or can you provide an example of a site with a Comodo cert? I don't have one here.

        Show
        bowserj Joe Bowser added a comment - Yes, VERBOSE should be good. Either that or can you provide an example of a site with a Comodo cert? I don't have one here.
        Hide
        antonylees Antony Lees added a comment -

        logcat output

        Show
        antonylees Antony Lees added a comment - logcat output
        Hide
        antonylees Antony Lees added a comment -

        I can do both. The site I am trying to use with the Comodo cert is https://tolling.severnbridge.co.uk/account/index.php
        I've also attached the logcat output

        Show
        antonylees Antony Lees added a comment - I can do both. The site I am trying to use with the Comodo cert is https://tolling.severnbridge.co.uk/account/index.php I've also attached the logcat output
        Hide
        bowserj Joe Bowser added a comment -

        OK, they're loading, but it's REALLY SLOW! Like Eye-Gougingly slow! I have no idea why SSL is so slow, but if your connection sucks I can see why this looks like this won't load.

        Show
        bowserj Joe Bowser added a comment - OK, they're loading, but it's REALLY SLOW! Like Eye-Gougingly slow! I have no idea why SSL is so slow, but if your connection sucks I can see why this looks like this won't load.
        Hide
        bowserj Joe Bowser added a comment -

        BTW: The CordovaWebView adds the SSL version of the site to the whitelist whether you put https or not, so both http and https will work.

        Show
        bowserj Joe Bowser added a comment - BTW: The CordovaWebView adds the SSL version of the site to the whitelist whether you put https or not, so both http and https will work.
        Hide
        bowserj Joe Bowser added a comment -

        OK, can you try the one that's not working on a fast connection? Also, you're doing everything right with not mixing the secure and non-secure assets, since having non-secure assets makes it even slower. I think that this may be an Android SSL performance issue, which may mean you have to find some way to hide the iFrame until it loads or use a splashscreen or something.

        Show
        bowserj Joe Bowser added a comment - OK, can you try the one that's not working on a fast connection? Also, you're doing everything right with not mixing the secure and non-secure assets, since having non-secure assets makes it even slower. I think that this may be an Android SSL performance issue, which may mean you have to find some way to hide the iFrame until it loads or use a splashscreen or something.
        Hide
        antonylees Antony Lees added a comment - - edited

        I've tried it on both HSDPA and fast WiFi, the results appear the same as a user - the iframe fairly quickly (a second or 2) displays a Chrome 'Web page not available' page, which I'm guessing is a timeout, in which case a splashscreen won't help unless I repeatedly refresh the iframe and Cordova caches the SSL result so it doesn't get rechecked every time? I don't think connection speed is the issue

        Show
        antonylees Antony Lees added a comment - - edited I've tried it on both HSDPA and fast WiFi, the results appear the same as a user - the iframe fairly quickly (a second or 2) displays a Chrome 'Web page not available' page, which I'm guessing is a timeout, in which case a splashscreen won't help unless I repeatedly refresh the iframe and Cordova caches the SSL result so it doesn't get rechecked every time? I don't think connection speed is the issue
        Hide
        bowserj Joe Bowser added a comment - - edited

        So, it specifically doesn't load in the iFrame. I've just been vanilla testing it so far, but I can see it totally crapping out on the iFrame based on what I've seen so far with performance. I'll try re-creating it again today if I get time, but the iFrame shouldn't load any slower than the rest of the app. (Yes, I missed this detail when I saw it being crap on a full page. Sorry about that!)

        Show
        bowserj Joe Bowser added a comment - - edited So, it specifically doesn't load in the iFrame. I've just been vanilla testing it so far, but I can see it totally crapping out on the iFrame based on what I've seen so far with performance. I'll try re-creating it again today if I get time, but the iFrame shouldn't load any slower than the rest of the app. (Yes, I missed this detail when I saw it being crap on a full page. Sorry about that!)
        Hide
        antonylees Antony Lees added a comment -

        No worries, I only mentioned it briefly. So yeah basically it won't load the iframe at all in production mode

        Show
        antonylees Antony Lees added a comment - No worries, I only mentioned it briefly. So yeah basically it won't load the iframe at all in production mode
        Hide
        bowserj Joe Bowser added a comment -

        This sucks, because I think SSL isn't where it needs to be as far as speed is concerned, but I can produce a release-ready Cordova app that has https content in an iFrame. Going to have to close this one as "Cannot reproduce".

        Show
        bowserj Joe Bowser added a comment - This sucks, because I think SSL isn't where it needs to be as far as speed is concerned, but I can produce a release-ready Cordova app that has https content in an iFrame. Going to have to close this one as "Cannot reproduce".

          People

          • Assignee:
            bowserj Joe Bowser
            Reporter:
            antonylees Antony Lees
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development