Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-5988

Allow the Android exec() to be used only by <content>'s domain

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • None
    • cordova-android
    • None

    Description

      Discussion: http://markmail.org/thread/yohym3xqomjp4a64

      Add a random number to exec() to increase its security.

      Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).

      Attachments

        Activity

          People

            agrieve Andrew Grieve
            agrieve Andrew Grieve
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: