Mixed content forbids to load cdvfile:// from remote https page

[guylando]

This plugin is supposed to allow to load images via:
<img src="cdvfile://localhost/assets/www/images/img.svg" />
on android
<img src="cdvfile://localhost/bundle/www/images/img.svg" />
on ios,
if the csp tag has cdvfiile://* whitelisted for img-src.

However when using this from a remotely https loaded page its considered "mixed content" and ios warns about it but android totally blocks it with the error:

Mixed Content: The page at 'https://www.site.com' was loaded over HTTPS, but requested an insecure image 'cdvfile://localhost/assets/www/images/img.svg'. This request has been blocked; the content must be served over HTTPS.

Is there any way to bypass this using some config.xml whitelisting tags?
allow-intent and allow-navigation tags have anything to do with this?

I had the following in config.xml:

<access origin="*" />
<access origin="cdvfile://*" />

Or is cdvfile not supported for https loaded remote pages? In that case I suggest to write a note about this in the cdvfile documentation which currently says nothing about it.

NOTE: For script loading this error happens on ios too because scripts are not passive content, see:

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content#Mixed_passivedisplay_content

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content

UPDATE1: On android after changing webview mixed content policy there is a new error: net::ERR_UNKNOWN_URL_SCHEME
(mixed content policy changed using https://developer.android.com/reference/android/webkit/WebSettings.html#MIXED_CONTENT_ALWAYS_ALLOW)

UPDATE2: Works on android and ERR_UNKNOWN_URL_SCHEME is solved because was caused by wrong local url (cdvfile://localhost/bundle instead of cdvfile://localhost/assets) so fixing the url solved it and now it works on android. In general the LocalFilesystemURL handles files if path is correct and if path is not correct then it doesn't handle the url scheme at all causing android to throw ERR_UNKNOWN_URL_SCHEME error. I think this is unexpected and LocalFilesystemURL should handle cdvfile even if path is incorrect.

NOTE: The following IS NOT NEEDED for cdvfile to work on android:
<allow-intent href="cdvfile://*" />

[guylando]

Created a PR to solve this on ios
#296

[syonip]

I've made a PR fixing this on android, as I don't feel comfortable degrading the security of the webview just to load a local file.
#322

[guylando]

An explanation of why I do not consider this a degradation of security: https://stackoverflow.com/questions/33178774/how-to-load-cordova-js-from-a-remote-website/54974404?noredirect=1#comment99341344_54974404

[gwynjudd]

For iOS, what about using WKURLSchemeHandler to intercept the requests for cdvfile: and handle them appropriately? I haven't yet tried it, but it looks promising:

https://developer.apple.com/documentation/webkit/wkurlschemehandler?language=objc
https://medium.com/glose-team/custom-scheme-handling-and-wkwebview-in-ios-11-72bc5113e344

[gwynjudd]

So I did a very quick test of WKURLSchemeHandler, it seems to work. I didn't require config.xml changes or content security policy changes.

[guylando]

@gwynjudd file plugin already has handler for urls so the change I did used existing functionality instead of adding new WKURLSchemeHandler. ALSO the mixed content policy is related to the browser engine and not cordova and referencing cdvfile: in https site will be a violation of mixed content policy no matter how you handle the cdvfile request

[janpio]

I looked at both #296 and #322 to get these PRs closer to merging.

Before merging these, we will have to have a discussion about the security aspect on the developer mailing list, I want to get some more eyeballs on this as it could really open up a can of worms (which we had in the past for InAppBrowser).

---

@syonip In https://stackoverflow.com/questions/33178774/how-to-load-cordova-js-from-a-remote-website/54974404?noredirect=1#comment99330504_54974404 you wrote that you "didn't want to change security settings in the webview". Did this refer to @guylando 's implementation or the suggestion to use MIXED_CONTENT_ALWAYS_ALLOW on Android?

[syonip]

@janpio Yes, both.
I'm not really sure if there is an actual security threat here, or a scenario in which allowing mixed content exposes users to anything, but I thought that if we can avoid changing the security mode of the web view it would be preferred.

[syonip]

I was referring to the android mixed content consideration, and guy's suggestion to change to MIXED_CONTENT_ALWAYS_ALLOW, not the IOS implementation.

[janpio]

Ok, so #322 represents the "safe" option - and we are actively working on getting that ready to merge. I have also asked @guylando for feedback in his #296.