Enable whitelisting support for embedded content #118

Open
nukulb opened this Issue Jun 20, 2012 · 4 comments

Projects

None yet

3 participants

@nukulb
nukulb commented Jun 20, 2012

All api's are available to embedded content, regardless of config.xml

App is a local index.html with app api's whitelisted, embedded iframe
with no api's allowed (think of an rss reader app)

The embedded content has access to any api the app has.

Expected:
@kwallis - fill in the details on what you want the behavior to be for remote url vs. local url

@kwallis
Member
kwallis commented Jun 20, 2012

Is local vs. Remote the right question? Or is it more about differing domains of content?

----- Original Message -----
From: Nukul Bhasin [mailto:reply@reply.github.com]
Sent: Tuesday, June 19, 2012 11:17 PM
To: Ken Wallis
Subject: [BB10-WebWorks-Framework] Security hole with api whitelisting and embedded content (#118)

All api's are available to embedded content, regardless of config.xml

App is a local index.html with app api's whitelisted, embedded iframe
with no api's allowed (think of an rss reader app)

The embedded content has access to any api the app has.

Expected:
@kwallis - fill in the details on what you want the behavior to be for remote url vs. local url


Reply to this email directly or view it on GitHub:
#118


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

@nukulb
nukulb commented Jun 20, 2012

different domains is a better question.

Here is the problem, there is no way to find out from that if a NetworkResourceRequest came from an iFrame or original page. So I will be opening a PR.

@kwallis
Member
kwallis commented Sep 18, 2012

Fixed?

cc @jeffheifetz

@jeffheifetz

Not yet

@sleroux sleroux added a commit to blackberry-webworks/BB10-WebWorks-Framework that referenced this issue Oct 31, 2012
@sleroux sleroux Fixes blackberry/BB10-WebWorks-Framework#118
Changes a webview's requests to use the referrer from the
NetworkResourceRequestedEvent instead of originalLocation.

Reviewed By: Jeffrey Heifetz <jheifetz@rim.com>
Tested By: Igor Shneur <ishneur@rim.com>
2aeffdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment