[TIMOB-16699] Windows Hybrid: Force all native calls to pass a security token
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | High |
| Status | Closed |
| Resolution | Fixed |
| Resolution Date | 2014-03-26T06:54:32.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | 2014 Sprint 06, 2014 Sprint 06 Tooling, Release 3.3.0 |
| Components | Windows Hybrid |
| Labels | n/a |
| Reporter | Chris Barber |
| Assignee | Chris Barber |
| Created | 2014-03-25T20:55:33.000+0000 |
| Updated | 2017-03-16T21:52:05.000+0000 |
Description
As a security precaution, we need to generate a security token when the app is started and tell the Mobile Web app to pass it along with all requests so that rogue scripts can't access the native API endpoints.
Master pull request: https://github.com/appcelerator/titanium_mobile/pull/5533 3_2_X_hybrid pull request: https://github.com/appcelerator/titanium_mobile/pull/5534
To test, you need to have a WebView that loads an HTML page that does an XHR call to the socket listener on the native side and try to imitate the Titanium Mobile app. All calls will fail because you don't know the security token.
Closing ticket as the issue has been fixed.