Skip to content
Permalink
Browse files
Updated Proposed Whitelist System section
  • Loading branch information
shazron committed Nov 3, 2015
1 parent b2c01c2 commit efc39019ecad770cfc9d07f90364f11f245635c6
Showing 1 changed file with 16 additions and 2 deletions.
@@ -5,13 +5,15 @@ This proposal is to advocate for the removal of the usage of the cordova-plugin-
In the diagrams, CSP refers to [Content-Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP) and ATS refers to [App Transport Security](https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33).
These two components are built-in to iOS, and are not part of Apache Cordova.

The native whitelist component pictured is Apache Cordova's [cordova-plugin-whitelist](https://github.com/apache/cordova-plugin-whitelist) which is new for cordova-ios-4x.

## Current Whitelist System

![current cordova-ios-4 whitelist](images/ios-whitelist-removal/cordova-ios-4-whitelist-current.png)

All connections in the WebView *must* be whitelisted in the `CSP` *and* also be whitelisted in native through the `<access>` tag in `config.xml`. In the last released version of the `cordova-cli`, all `<access>` tags are automatically converted to `ATS` directives in the app's `Info.plist` file.

There is a deficiency in `cordova-plugin-whitelist` in that `WKWebView` connections are not whitelisted while on iOS 8 (because its connections cannot be intercepted using NSURLProtocol). On iOS 9, `WKWebView` connections are whitelisted and intercepted by ATS.
There is a deficiency in `cordova-plugin-whitelist` in that `WKWebView` connections are not whitelisted while on iOS 8 (because WKWebView connections cannot be intercepted using NSURLProtocol). On iOS 9, `WKWebView` connections are whitelisted and intercepted by ATS.

There is one difference in whitelisting through `ATS` and cordova-plugin-whitelist: a wildcard `*` in `cordova-plugin-whitelist` means all connections are accepted, while in `ATS` it means the same except that you can also restrict certain domains to connect through https or a certain TLS version, for example.

@@ -23,4 +25,16 @@ It seems that this code was added to provide a generic way to allow whitelist as

![proposed cordova-ios-4 whitelist](images/ios-whitelist-removal/cordova-ios-4-whitelist-proposed.png)

TODO:
The proposed whitelist system here requires us to remove:
1. The [iteration of plugins](https://github.com/apache/cordova-ios/blob/0ec2949d9b37495da6504867bfb371bd868242f0/CordovaLib/Classes/Public/CDVViewController.m#L518) to see if they conform to the [protocol methods](https://github.com/apache/cordova-ios/blob/master/CordovaLib/Classes/Public/CDVURLRequestFilter.h)
2. Usage of the [cordova-plugin-whitelist](https://github.com/apache/cordova-plugin-whitelist) itself

This simplifies things in that we rely solely on iOS to handle security functionality -- Apple is a far better expert than us to handle these things.

Developers still have to specify `<access>` tags to whitelist domains when they are whitelisted to in the `CSP` however.

An automatic `CSP to <access> tag` parser was proposed (through `cordova-lib` ios parser) -- this could work but at an expense of backwards-compatibility.

Note however that adoption of this proposal basically removes all whitelist functionality for iOS versions 8 and below.


0 comments on commit efc3901

Please sign in to comment.