All api's are available to embedded content, regardless of config.xml
App is a local index.html with app api's whitelisted, embedded iframe
with no api's allowed (think of an rss reader app)
The embedded content has access to any api the app has.
@kwallis - fill in the details on what you want the behavior to be for remote url vs. local url
Is local vs. Remote the right question? Or is it more about differing domains of content?
----- Original Message -----
From: Nukul Bhasin [mailto:email@example.com]
Sent: Tuesday, June 19, 2012 11:17 PM
To: Ken Wallis
Subject: [BB10-WebWorks-Framework] Security hole with api whitelisting and embedded content (#118)
Reply to this email directly or view it on GitHub:
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
different domains is a better question.
Here is the problem, there is no way to find out from that if a NetworkResourceRequest came from an iFrame or original page. So I will be opening a PR.
Changes a webview's requests to use the referrer from the
NetworkResourceRequestedEvent instead of originalLocation.
Reviewed By: Jeffrey Heifetz <firstname.lastname@example.org>
Tested By: Igor Shneur <email@example.com>