Whitelist changes #392

Closed
nukulb opened this Issue Nov 27, 2012 · 10 comments

Comments

Projects
None yet
4 participants
@nukulb
Contributor

nukulb commented Nov 27, 2012

So it has been determined that there is no way for to allow crossSiteXHR while still keep websecurity turned on.

My proposal

- Does not turn websecurity off - Allows navigation to all pages - Does not allow crossSiteXHR - Allows navigation to this uri - Allows crossSiteXHR to this uri

the above behaviour is the same as it currently is.

New behaviors

  • If the user tries to navigate to a non-whitelisted URI it will be open the inAppBrowser or ChildBrowser. This behaviour will be consistent with Cordova's inAppBrowser proposal
  • Allow the developer to turn off websecurity using the config.xml
    If the developer absolutely wants to turn off websecurity they can through config.xml
<feature id="blackberry.app" >
        <param name="websecurity" value="disable" />
</feature>

Websecurity will be enabled by deafult

-- Packager warning can be thrown saying that websecurity is turned off.

@nukulb

This comment has been minimized.

Show comment Hide comment
@nukulb

nukulb Nov 27, 2012

Contributor

@kwallis @jeffheifetz - Thoughts?

Contributor

nukulb commented Nov 27, 2012

@kwallis @jeffheifetz - Thoughts?

@jeffheifetz

This comment has been minimized.

Show comment Hide comment
@jeffheifetz

jeffheifetz Nov 27, 2012

Contributor

How does this affect the childBrowser? It will act exactly like a browser with navigation anywhere and no cross-site?

Contributor

jeffheifetz commented Nov 27, 2012

How does this affect the childBrowser? It will act exactly like a browser with navigation anywhere and no cross-site?

@jeffheifetz

This comment has been minimized.

Show comment Hide comment
@jeffheifetz

jeffheifetz Nov 27, 2012

Contributor

According to @nukulb offline what I have said above is correct. In this case I believe this is the best possible solution.

Contributor

jeffheifetz commented Nov 27, 2012

According to @nukulb offline what I have said above is correct. In this case I believe this is the best possible solution.

@kwallis

This comment has been minimized.

Show comment Hide comment
@kwallis

kwallis Nov 28, 2012

Member

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

Member

kwallis commented Nov 28, 2012

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

@nukulb

This comment has been minimized.

Show comment Hide comment
@nukulb

nukulb Nov 28, 2012

Contributor

Anyone who wants to make xhr to unknown urls
Unknown at time of development must turn Web Security off
There is no other way to do it

From: Ken Wallis
To: blackberry/BB10-WebWorks-Framework
To: Nukul Bhasin
Reply To: blackberry/BB10-WebWorks-Framework
Re: [BB10-WebWorks-Framework] Whitelist changes (#392)
2012-11-28 12:13:41 AM

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

\u2014
Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10791001.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

Contributor

nukulb commented Nov 28, 2012

Anyone who wants to make xhr to unknown urls
Unknown at time of development must turn Web Security off
There is no other way to do it

From: Ken Wallis
To: blackberry/BB10-WebWorks-Framework
To: Nukul Bhasin
Reply To: blackberry/BB10-WebWorks-Framework
Re: [BB10-WebWorks-Framework] Whitelist changes (#392)
2012-11-28 12:13:41 AM

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

\u2014
Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10791001.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

@kwallis

This comment has been minimized.

Show comment Hide comment
@kwallis

kwallis Nov 28, 2012

Member

Ok. Looks good.

From: Nukul Bhasin [mailto:notifications@github.com]
Sent: Wednesday, November 28, 2012 05:02 PM
To: blackberry/BB10-WebWorks-Framework BB10-WebWorks-Framework@noreply.github.com
Cc: Ken Wallis
Subject: Re: [BB10-WebWorks-Framework] Whitelist changes (#392)

Anyone who wants to make xhr to unknown urls
Unknown at time of development must turn Web Security off
There is no other way to do it

From: Ken Wallis
To: blackberry/BB10-WebWorks-Framework
To: Nukul Bhasin
Reply To: blackberry/BB10-WebWorks-Framework
Re: [BB10-WebWorks-Framework] Whitelist changes (#392)
2012-11-28 12:13:41 AM

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

\u2014
Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10791001.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.


Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10796810.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

Member

kwallis commented Nov 28, 2012

Ok. Looks good.

From: Nukul Bhasin [mailto:notifications@github.com]
Sent: Wednesday, November 28, 2012 05:02 PM
To: blackberry/BB10-WebWorks-Framework BB10-WebWorks-Framework@noreply.github.com
Cc: Ken Wallis
Subject: Re: [BB10-WebWorks-Framework] Whitelist changes (#392)

Anyone who wants to make xhr to unknown urls
Unknown at time of development must turn Web Security off
There is no other way to do it

From: Ken Wallis
To: blackberry/BB10-WebWorks-Framework
To: Nukul Bhasin
Reply To: blackberry/BB10-WebWorks-Framework
Re: [BB10-WebWorks-Framework] Whitelist changes (#392)
2012-11-28 12:13:41 AM

So how does this affect the use case where we reopened the access * discussion around, things like RSS readers that want to pull in content? They have to turn off web security?

\u2014
Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10791001.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.


Reply to this email directly or view it on GitHubhttps://github.com/blackberry/BB10-WebWorks-Framework/issues/392#issuecomment-10796810.


This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

@jeffheifetz

This comment has been minimized.

Show comment Hide comment
@jeffheifetz

jeffheifetz Nov 29, 2012

Contributor

What happens on requests other than navigation requests that aren't allowed (ie XHR, Resources, etc) ? I presume the current behaviour of denying them and showing an alert is acceptable?

Contributor

jeffheifetz commented Nov 29, 2012

What happens on requests other than navigation requests that aren't allowed (ie XHR, Resources, etc) ? I presume the current behaviour of denying them and showing an alert is acceptable?

@nukulb

This comment has been minimized.

Show comment Hide comment
@nukulb

nukulb Nov 29, 2012

Contributor

I was going to suggest silent fail for resources and XHR - perhaps a console.log(...) so it makes it into slog2info but no alert.
What do you think?

Contributor

nukulb commented Nov 29, 2012

I was going to suggest silent fail for resources and XHR - perhaps a console.log(...) so it makes it into slog2info but no alert.
What do you think?

@jeffheifetz

This comment has been minimized.

Show comment Hide comment
@jeffheifetz

jeffheifetz Dec 2, 2012

Contributor

I assume that when the developer disables websecurity we also want to disable webworks whitelisting as well.

Contributor

jeffheifetz commented Dec 2, 2012

I assume that when the developer disables websecurity we also want to disable webworks whitelisting as well.

@jeffheifetz jeffheifetz referenced this issue in blackberry-webworks/BB10-WebWorks-Framework Dec 2, 2012

Closed

Changes whitelisting to allow disabling web security #309

@jeffheifetz jeffheifetz referenced this issue in blackberry-webworks/BB10-Webworks-Packager Dec 2, 2012

Closed

Adds the ability to disable websecurity #118

jeffheifetz pushed a commit to blackberry-webworks/BB10-WebWorks-Framework that referenced this issue Dec 3, 2012

Jeffrey Heifetz
Changes whitelisting to allow disabling web security
    Fixes blackberry/BB10-WebWorks-Framework#392

    Reviewed By: NOBODY (OOOPS)
    Tested By: Tracy Li <tli@rim.com>

    Modifies the WebWorks Framework to disable all web security when the
config is set to.

jeffheifetz pushed a commit to blackberry-webworks/BB10-Webworks-Packager that referenced this issue Dec 3, 2012

Jeffrey Heifetz
Adds the ability to disable websecurity
    Fixes blackberry/BB10-WebWorks-Framework#392

    Reviewed By: NOBODY
    Tested By: Tracy Li <tli@rim.com>

    This commit parses a new param (websecurity) for blackberry.app
which has a possible value disable.

jeffheifetz pushed a commit to blackberry-webworks/BB10-WebWorks-Framework that referenced this issue Dec 3, 2012

Jeffrey Heifetz
Updates Whitelistin Automated Tests
    Fixes issue blackberry/BB10-WebWorks-Framework#392

    This test recognizes the fact that subdomains need to be explicitly
whitelisted to be able to access the local:// protocol.

    Reviewed By: Nukul Bhasin <nbhasin@rim.com>
    Tested By: Tracy Li <tli@rim.com>

jeffheifetz pushed a commit to blackberry/BB10-Webworks-Packager that referenced this issue Dec 3, 2012

Jeffrey Heifetz Nukul Bhasin
Adds the ability to disable websecurity
Fixes blackberry/BB10-WebWorks-Framework#392

Reviewed By: Nukul Bhasin <nbhasin@rim.com>
Tested By: Tracy Li <tli@rim.com>

This commit parses a new param (websecurity) for blackberry.app
which has a possible value disable.

jeffheifetz pushed a commit that referenced this issue Dec 3, 2012

Jeffrey Heifetz Nukul Bhasin
Changes whitelisting to allow disabling web security
Fixes blackberry/BB10-WebWorks-Framework#392

Modifies the WebWorks Framework to disable all web security when the
config is set to.

Reviewed By: Nukul Bhasin <nbhasin@rim.com>
Tested By: Tracy Li <tli@rim.com>

jeffheifetz pushed a commit that referenced this issue Dec 3, 2012

Jeffrey Heifetz Nukul Bhasin
Updates Whitelistin Automated Tests
Fixes issue blackberry/BB10-WebWorks-Framework#392

This test recognizes the fact that subdomains need to be explicitly
whitelisted to be able to access the local:// protocol.

Reviewed By: Nukul Bhasin <nbhasin@rim.com>
Tested By: Nukul Bhasin <nbhasin@rim.com>

@ericpearson ericpearson referenced this issue in blackberry/BB10-Webworks-Packager Dec 4, 2012

Closed

Enable slog2 output for debug builds #228

jeffheifetz pushed a commit to blackberry/BB10-Webworks-Packager that referenced this issue Dec 12, 2012

Jeffrey Heifetz Nukul Bhasin
Adds the ability to disable websecurity
Fixes blackberry/BB10-WebWorks-Framework#392

Reviewed By: Nukul Bhasin <nbhasin@rim.com>
Tested By: Tracy Li <tli@rim.com>

This commit parses a new param (websecurity) for blackberry.app
which has a possible value disable.
@ejzn

This comment has been minimized.

Show comment Hide comment
@ejzn

ejzn Apr 11, 2013

Contributor

Close.

Contributor

ejzn commented Apr 11, 2013

Close.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment