Cwa-app-ios: Reason for stricter QR code validation regex
@johannesrohwer
We used the broader QR validation, which was available till commit c0e3d6d5843711aa43642acb7565b44cf3f289b0, to allow our patient to also scan the QR code with the native camera apps in order to get to a page where they can also access the test result.
Is there any chance to reverse the change in the regex to allow again arbitrary domains and protocols?
wienand
All 6 comments
No, the stricter validation prevent the security issues that QR Codes with private test results are scanned with the native camera and the QR Code are send to any web server which could log the QR Codes and private information of the user and access test result information of the user.
There is also strict guideline how a CWA QR Code has to be formatted.
thomasaugsten
on 22 Oct 2020
How could that be an issue?
The QR codes are issued either by the KBV or by a lab. The KBV uses the localhost style and the lab has access to much more information and also has to store a reference from the GUID to the lab order to submit the result to the CWA infrastructure.
Alternatively, is there a possibility to whitelist some domains?
Also from UX perspective it is desirable that the patient get more then an error when scanning the QR code with their camera app.
wienand
on 22 Oct 2020
The issue is we cannot ensure that the encoded URL is owned by a company which is allowed to see the GUID and is allowed to log private information. There are multiple reason like for example the DNS of website is manipulated, the user uses a proxy or similar thinks.
We can also not ensure that URL is owned directly by the lab which is allowed to handle such information and not by any sub contractor.
We know the scanning via native camera is not the best experience but only in the CWA the user can warn other people.
But at the end it is the decision of the KBV how open the guideline for CWA QR Code is. Our task is only to implement this guideline
thomasaugsten
on 22 Oct 2020
Thanks for the reply, then we know what we can work with. Do you have a link for the guidelines?
wienand
on 22 Oct 2020
Maybe the error message while scanning a not valid QR-Code should be changed. Currently is says "Befund nicht gefunden" (result not found) and goes on with suggesting to try is again in a different angle oder with light.
Hence patient may assume that their result is just not available currently and will try from time to time again, especially if this is their first test and they do not know what the standard flow is.
I would suggest something like "Ung眉ltige Code, bitte wenden Sie sich an die Teststelle".
wienand
on 25 Oct 2020
Hi @wienand,
thanks for contributing here. We think that the message has improved significantly and is more helpful to the user now.
EN
DE
dsarkar
on 11 Feb 2021
Related issues
mw76
路
3Comments
avenius
路
3Comments
janberlin
路
3Comments
Lhendrichs
路
3Comments
rsplaul
路
3Comments
Most helpful comment
Maybe the error message while scanning a not valid QR-Code should be changed. Currently is says "Befund nicht gefunden" (result not found) and goes on with suggesting to try is again in a different angle oder with light.
Hence patient may assume that their result is just not available currently and will try from time to time again, especially if this is their first test and they do not know what the standard flow is.
I would suggest something like "Ung眉ltige Code, bitte wenden Sie sich an die Teststelle".