Whitelist bug - To access file:// from the dom of a local page, requires an access element #261

Open
nukulb opened this Issue Sep 21, 2012 · 2 comments

Comments

Projects
None yet
3 participants
Contributor

nukulb commented Sep 21, 2012

file:// should not require an access element to be used from a local page

Here is a app that has access uri="*"

https://github.com/downloads/blackberry-webworks/BB10-WebWorks-Framework/App.zip

Go the config.xml of this app and remove the access element.

Take a picture using the camera button up top.

Expected-
The picture should appear in the dom.

Actual-
Get a whitelist error.

Contributor

jeffheifetz commented Sep 27, 2012

There is an issue with the premise of this the way our whitelisting is currently implemented. Currently our whitelisting is only concerned with the origin when it is checking for features but not for navigation.

That would mean that changing this would would allow any page to access file whether it is whitelisted or not.

I believe the best solution is to treat fileAccess more like a feature and enforce it to be nested in another access element for remote access. Then enabling it by default for local only would make sense.

jeffheifetz pushed a commit to blackberry-webworks/BB10-WebWorks-Framework that referenced this issue Oct 31, 2012

Fixes blackberry/BB10-WebWorks-Framework#238,
      blackberry/BB10-WebWorks-Framework#261, and
      blackberry/BB10-WebWorks-Framework#283

This commit enhances the whitelisting logic to reduce bugs caused by
different assumptions between webworks and webkit whitelisting rules.

To ensure the behaviour matches webworks hacking the webworks network
request handler to cover the differences between webkit and webworks
whitelisting policies. Whenever webworks whitelisting policy would allow
a request a whitelist entry is added to webkit to ensure webkit will
allow it as well. This should effectively make whitelisting consistent
with previous versions while leaving web security enabled.

Reviewed By: Nukul Bhasin <nbhasin@rim.com>
Tested By: Igor Shneur <ishneur@rim.com>
Member

ctetreault commented Apr 1, 2013

Ran in to this one over the weekend. Very frustrating. I was trying to read a file:// and of course got the 'access not allowed' dialog until it 'file://' was whitelisted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment