supposedly the files served from assets folder will still work (but didn't try)
El jue., 6 dic. 2018 a las 16:55, Darryl Pogue (<dvpdin...@gmail.com>) escribió: > On the one hand, I can see why this would get flagged by a security > audit, because it opens the risk of 3rd party sites/scripts having > uncontrolled access to the filesystem. > On the other hand, changing this preference will break the most common > Cordova use case, where files are served from the app bundle instead > of from a remote URL. > > We could add a preference for this, but it would need a bunch of > documentation to explain that it only affects Android, and to explain > clearly what it does and when you might need to enable it. A lot of > apps would break if people just turned it on as "good security > practice" without understanding the implications. > > On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services) > <prestataire.stephane.maley...@ca-titres.fr> wrote: > > > > Hello all, > > > > Thanks for your answers. > > > > I understand that new features will be only available on master release, > with no back port. > > I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on > cordova-android 7.x : > > https://github.com/fechanique/cordova-plugin-fcm/issues/470 > > https://github.com/fechanique/cordova-plugin-fcm/issues/535 > > > > About the security issue : > > I found an exemple here: > https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/ > > It's about loadUrl of file:// type url > > In Cordova plugin whitelist doc, it alwayse accept any type of > file://url ... > > So, it doesn't seems to solve the issue. > > > > We've tried to make a plugin to change it, but it doesn't work, seems to > be too late in the process. > > For now, we plan to make a private fork of cordova-android-plugin to add > the line « settings.setAllowFileAccess(false);» here : > https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 > > > > About this idea, more generally, it'd be usefull to configure any > WebSettings of the WebView, and not only the allowFileAccess attribute... > > Maybe, it could be possible by java reflection, using a config file > containing attributes names and theirs value ? > > I will send a new email/thread for this. > > > > Thanks again. > > > > Stéphane > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
