WebView security model vs same-origin policy #31
Comments
|
Thanks for bringing this up @muodov! Access to cross-origin/3P web content (i.e web content that is not owned by the host application) can have serious security/privacy implications (example). I think it makes sense to follow the web's security model here, since the web was designed to be composable through the use of iframes. Embedding web content in a native app can be thought of in the same way as having an iframe on your website, where the native app is the top-level context and the WebView is the iframe. The web contents of an iframe are only accessible if it's a same-origin (which would map to being a 1P web page in the world of WebViews). However, this model would also block some valid use cases, like #4 (Building opinionated browsers). My thinking is that same-origin policies should be applied to WebViews, unless an app declares itself to be a browser (receives special browser permissions), or involves some form of user consent (similar to the extensions topic which came up in previous CG meetings; extensions allow an elevated level of control over web content, however they are explicitly installed by users). I'd love to hear more from people who build hybrid apps & modify 3P web content, since this doesn't technically fall under the "building a browser" scenario. |
|
@rayankans @aluhrs13 |
|
Closing this as the conversation continues in #36 |
There's been a few conversations where security concerns were raised (1, 2, 3, 4, 5)
In particular, there seems to be a recurring question about whether same-origin policy should apply to the native context. Shall we discuss different perspectives here?
The text was updated successfully, but these errors were encountered: