[CB-5988] Allow the Android exec() to be used only by <content>'s domain - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: cordova-android
Labels:
None

Description

Discussion: http://markmail.org/thread/yohym3xqomjp4a64

Add a random number to exec() to increase its security.

Use the domain of the <content> tag as the only one the native side will provide a token to. Both Android and iOS can know the URL of the main frame, and choose not to provide a token if the domain doesn't match that of content (with file:/// always being allowed).

Attachments

Activity

People

Assignee:: Andrew Grieve

Reporter:: Andrew Grieve

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Feb/14 15:21

Updated:: 23/Aug/18 07:19

Resolved:: 04/Jul/14 02:13