[CB-3576] Privately signed https links don't work in InAppBrowser

[montylee]

Privately signed https links don't work in InAppBrowser and are blocked by default on the InAppBrowser. A new option 'validatessl' has been added that can be specified while
launching the InAppBrowser:

window.open(url, '_blank', 'location=yes,validatessl=no');

Default value of 'validatessl' is 'yes'. This will allow users to ignore SSL certificate errors caused while opening self-signed https URLs

[infil00p]

When you say "privately signed", do you mean self-signed? I don't think we want to allow self-signed certificates to be viewed.

[montylee]

Yes I mean self signed certificate based URLs can't be opened in InAppBrowser. In the main PhoneGap web view you can open such URLs by simply overriding onReceivedSSLError() public method but the same can't be done for InAppBrowser. In all browsers on desktop and mobiles, you get an option of either blocking or proceeding with opening such URLs so basically you have a way of accessing self signed URLs.

Enterprise applications which rely on local web servers really need this functionality. And it's not that we are hard-coding inside the code to always allow self signed URLs. I have added an option so it's upto the user to decide what he wants on each invocation of InAppBrowser.

Right now, there is no way of opening self signed URLs inside InAppBrowser, so I wanted to add this functionality.

[montylee]

iOS pull request link: apache/cordova-ios#59

[montylee]

Any update on this pull request?

[chrispadfield]

Any update? This affects us as well; on enterprise intranets largely.

[agrieve]

Relevant bug: https://issues.apache.org/jira/browse/CB-3576
The resolution is that we should add an interstitial to the IAB, but I think it's a low priority currently and none of the core team is working on it.

[montylee]

closing this as this needs to be fixed by the Cordova team (including user confirmation dialog)