This question is locked. New answers and comments are not allowed.
We have an Cordova iOS/Android app, and we'd like to display some content from our server in an iframe. The server is also used for a webapp, and current policy is to send the X-Frame-Options SAMEORIGIN with all responses. This allows us to frame content in our webapp, but does not allow it in the mobile app.
I have experimented with the Content Security Policy instead of X-Frame-Options. For example, we can use
Content Security Policy: frame-ancestors 'self' file:
This does work on Android, but not on iOS. However, this opens a new security hole, as any local HTML file can now frame our content. We can mitigate the risk by setting this header only for resources need by the app, but I'd still like to do better. Ideally, we would only allow iframes if we know the request is coming from our webapp or from the mobile app.
So I have a few questions
1) How do we display an iframe in an iOS app? I've seen examples online using allow-navigation, but this does not seem to be available in Cordova for iOS 3.8.0.
2) Can we be any more specific with the file URL? Is there any consistency in the file URLs used by the mobile app?
3) Is there a way to know if a request is coming from a 'trusted app'? I can issue tokens from our server, but I don't know of any way to store those securely in the app.
4) Are there any other workarounds that I'm not thinking of?
Thanks for your input
I have experimented with the Content Security Policy instead of X-Frame-Options. For example, we can use
Content Security Policy: frame-ancestors 'self' file:
This does work on Android, but not on iOS. However, this opens a new security hole, as any local HTML file can now frame our content. We can mitigate the risk by setting this header only for resources need by the app, but I'd still like to do better. Ideally, we would only allow iframes if we know the request is coming from our webapp or from the mobile app.
So I have a few questions
1) How do we display an iframe in an iOS app? I've seen examples online using allow-navigation, but this does not seem to be available in Cordova for iOS 3.8.0.
2) Can we be any more specific with the file URL? Is there any consistency in the file URLs used by the mobile app?
3) Is there a way to know if a request is coming from a 'trusted app'? I can issue tokens from our server, but I don't know of any way to store those securely in the app.
4) Are there any other workarounds that I'm not thinking of?
Thanks for your input