atom feed19 messages in org.apache.incubator.callback-devRe: [Android] SecureToken/NoFrak feat...
FromSent OnAttachments
Joe BowserJan 30, 2014 3:16 pm 
Marcel KinardJan 31, 2014 10:01 am 
Martin GeorgievJan 31, 2014 10:18 am 
Joe BowserJan 31, 2014 10:32 am 
Martin GeorgievJan 31, 2014 11:08 am 
Jonathan Bond-CaronJan 31, 2014 11:18 am 
Andrew GrieveJan 31, 2014 11:22 am 
JesseJan 31, 2014 12:30 pm 
Bas BosmanJan 31, 2014 12:48 pm 
Andrew GrieveJan 31, 2014 12:58 pm 
Andrew GrieveJan 31, 2014 1:27 pm 
Martin GeorgievJan 31, 2014 1:39 pm 
Joe BowserJan 31, 2014 2:40 pm 
Martin GeorgievJan 31, 2014 2:43 pm 
Joe BowserJan 31, 2014 2:46 pm 
Andrew GrieveJan 31, 2014 5:38 pm 
Andrew GrieveJan 31, 2014 5:50 pm 
Andrew GrieveFeb 7, 2014 7:22 am 
Andrew GrieveJul 3, 2014 7:13 pm 
Subject:Re: [Android] SecureToken/NoFrak feature addition
From:Andrew Grieve (agri@chromium.org)
Date:Jan 31, 2014 5:38:44 pm
List:org.apache.incubator.callback-dev

On Fri, Jan 31, 2014 at 5:46 PM, Joe Bowser <bows@gmail.com> wrote:

OK, in the interest of moving things along, I think we agreed to the following:

1. Adding a SecureToken is a good idea and we should implement this somehow 2. We should stop supporting the 2.9.x branch of Cordova like we said we would 3. We should disable addJavascriptInterface for any level below API level 17

Yep, these all sound good! Just need to hash out how to do #1, (2 and #3 don't depend on it).

I'd like to preserve our old behaviour of blocking anything not explicitly whitelisted, and have the ability to turn on mixed content in iFrames with a configuration setting. How can we move forward with this?

Not sure what you mean about turning on mixed content.

Not if your certificate is compromised. Remember our Certificate Pinning discussion!

On Fri, Jan 31, 2014 at 1:43 PM, Andrew Grieve <agri@chromium.org>

wrote:

On Fri, Jan 31, 2014 at 4:34 PM, Martin Georgiev <mgeo@utexas.edu wrote:

On Fri, Jan 31, 2014 at 3:27 PM, Andrew Grieve <agri@chromium.org> wrote:

Why is loadUrl insecure? (hopefully something less horrible than addJsInterface pre JB... :P)

Think about the usecase where a benign website is framed by a malicious one. Again, this is server side. The app developer can't prevent it from happening. The framework developer must make sure that all usecases are handled properly.

Ah, I hadn't considered that the main frame might be malicious.

I don't see how this would happen with a Cordova app though. We strongly encourage users to use file:/// URLs for their app. For those that use HTTP, that's insecure anyways and would be whitelisted by this scheme. If you use HTTPS, then you should be fine, no?