dpogue commented on PR #1132: URL: https://github.com/apache/cordova-plugin-inappbrowser/pull/1132#issuecomment-4092721532
> Why do you discourage people from using it? 1. Often this plugin is used to show external websites without leaving the app. It's generally a better user experience to let the system browser handle that, or (if absolutely necessary) use an embedded system browser like SFSafariViewController or Chrome Custom Tabs. These use the actual system browser, which has access to things like existing cookies and session state from the system browser. 2. Other times, people use this plugin to implement OAuth flows. That is incredibly insecure, and most major OAuth providers have started blocking WebView access to login pages. 3. The reason for the security concerns is that this plugin allows an app to inject arbitrary JS and CSS into the loaded website. That makes it very easy for a malicious app to do things like injecting keylogging, or restyling a fake login page to look trustworthy. The plugin does not make the website URL visible by default and does not have the built-in anti-phishing detection that system browsers do. Unfortunately, lots of people have come to depend on that ability to inject arbitrary JS and CSS into arbitrary webpages despite that being an objectively terrible idea. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
