Clarifying Security of SourceType.url.

[ted-marozzi]

Hi,

In this issue you say "one should NOT use it (especially with SourceType.urlBypass) for security-related stuff, such as OAuth or similar."

1. Is this saying that we shouldn't host a page which requires normal username and password login in an Iframe?

2. What about hosting an iframe with the normal SourceType.url, are pages that have a log in form not secure?

I am just getting confused because you said OAuth which I believe is different to a username and password login.

Great package by the way. Extremely useful and very well organised!

Thanks.

[adrianflutur]

Hi,
Yeah maybe I didn't explain it really well in that issue. I'll try to elaborate here.

To begin with, that warning is strictly related to the usage of SourceType.urlBypass on Web (where the package uses an iframe to load webpages), so I think you should first understand exactly what happens when SourceType.urlBypass is being used.

Here is an example of what happens when we want to load, say, https://google.com in the webview using SourceType.urlBypass:

• The webview receives the URL
• The webview initiates a HTTP request to one of the predefined CORS proxy servers (which are located here)
  • The default proxies which the package uses are public - this is what the warning is about. If you do authentication/security/banking/etc through a public proxy then your data will first go through the proxy, and then it will reach the destination URL.
  • You can also create your own CORS proxy server and then use it here, in which case you should be safe because it is controlled by you.
• The proxy server itself makes a HTTP request to the destination URL, downloads it's entire HTML page source, then sends it back to our webview as a HTTP response.
• Our webview extracts the HTML page source from the response, (injects user defined javascript methods, callbacks, click handlers, etc) and then loads it inside the iframe.

So as you can see, the security issues arise when all theese conditions are met:

• the app is running on Web
• SourceType.urlBypass is being used
• the webview uses the predefined proxy servers

A possible solution to this (if you need it to work on Web) would be to create your own proxy server and use that instead of the default public servers.

Now, to answer your questions:

1. Is this saying that we shouldn't host a page which requires normal username and password login in an Iframe?

• Only when using SourceType.urlBypass. You definitely can do it, but it's not recommended due to the default proxy servers being public. Refer to the possible solution above.

2. What about hosting an iframe with the normal SourceType.url, are pages that have a log in form not secure?

• No, this is fine. As long as the webpage you're trying to host allows iframe embeddings there's no problem in using SourceType.url.

I hope you understand that security warning now. Perhaps I should add this to the documentation issue.
Let me know if you have any other questions.

[ted-marozzi]

Thank you, thats perfect. Explains everything I need. Thanks for this package!