Cordova updates on devel and a new accessRule API

[Slava Kim]

Hey everyone, here is a new API that I am working on for Meteor Cordova. It is related to a series of updates to the Cordova dependencies and a sec vuln found in Cordova 3.5.0: http://cordova.apache.org/announcements/2014/08/04/android-351.html

In Cordova, we used to allow all xhr requests outgoing from the native app shell to any website.

Apparently, there is a vulnerability on Android that in some circumstances can trick the user into opening another app and leaking some data to it.

To mitigate this, Android and Google tell developers to ban outgoing requests to any website and then whitelist what application can access and what can be opened in an external app (like phonebook opening tel:, mail app opening mailto:, dropbox opening your https://dropbox.com/ urls, etc).

In Meteor Cordova there is a change that bans all urls by defaults. Whitelists things like tel:, map:, mailto:, and the app's server URL (we know it since we require it on build). And provides the following API for adding new url schemes to the whitelist:

    App.accessRule('https://some-site.com/*', { external: false });

You would add this config to your mobile-config.js file (that acts like a control file in Meteor Cordova).

I am open to your thoughts on this API.

Here is the full doc:

    /**

     * @summary Set a new access rule based on origin domain for your app.

     * By default your application has a limited list of servers it can contact.

     * Use this method to extend this list.

     *

     * Default access rules:

     *

     * - `tel:*`, `geo:*`, `mailto:*`, `sms:*`, `market:*` are allowed and

     *   launch externally (phone app, or an email client on Android)

     * - `gap:*`, `cdv:*`, `file:` are allowed (protocols required to access

     *   local file-system)

     * - `http://meteor.local/*` is allowed (a domain Meteor uses to access

     *   app's assets)

     * - The domain of the server passed to the build process (or local ip

     *   address in the development mode) is used to be able to contact the

     *   Meteor app server.

     *

     * Read more about domain patterns in [Cordova

     * docs](http://cordova.apache.org/docs/en/4.0.0/guide_appdev_whitelist_index.md.html).

     *

     * Starting with Meteor 1.0.4 access rule for all domains and protocols

     * (`<access origin="*"/>`) is no longer set by default due to

     * [certain kind of possible

     * attacks](http://cordova.apache.org/announcements/2014/08/04/android-351.html).

     *

     * @param {String} domainRule The pattern defining affected domains or URLs.

     * @param {Object} [options]

     * @param {Boolean} options.launchExternal Set to true if the matching URL

     * should be handled externally (e.g. phone app or email client on Android).

     * @memberOf App

     */

Slava

[Zoltan Olah]

Your proposed mobile-config option sounds totally fine to me.

​

[Andrew Reedy]

Looks good!

[Zhang Hong]

will this 1.0.4 support android crosswalk? how to test new cordova integration?

在 2015年2月14日星期六 UTC+8上午3:19:39，Slava Kim写道：