Apache Cordova
  1. Apache Cordova
  2. CB-5988

Allow the Android exec() to be used only by <content>'s domain

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Android
    • Labels:
      None

      Description

      Discussion: http://markmail.org/thread/yohym3xqomjp4a64

      Add a random number to exec() to increase its security.

      Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).

        Activity

          People

          • Assignee:
            Andrew Grieve
            Reporter:
            Andrew Grieve
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development