← Back to team overview

ubuntu-phone team mailing list archive

Re: webapps and script injection

 

On Tue, 2015-04-14 at 04:39 +1000, Mitchell Reese wrote:

> Another question re security for webapps - url-dispatcher. Whilst I'm 
> loving using this, it's also clear how easy it is to create a webapp 
> that redirects traffic from other places, such as scopes. While I'm 
> making a point of listing when I use this (and telling users not to 
> install the app if they want to view said content in their browser), 
> there's currently no requirement to do this. Sure, users can simply 
> uninstall an app if it's giving them problems, but it seems that it 
> would also be easy to create a malicious app that 'redirects' lots of 
> urls, and potentially injects scripts into them from there. Even without 
> script injection this could be annoying...
> 
> Are there any processes in place to stop this from happening?


You can uninstall the app :-)

While we don't have it spec'd yet, I'd expect that when we allow
multiple people to register for a URL and we have to choose between them
we'll also allow for a default handler. So probably the first time on a
webapp you'd get the webapp and the browser, then you could choose to
default to the webapp. Currently this is decided by the "most specific"
entry, but we're going to have to give more configuration to the user
there eventually.

Ted

References