cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lorin Beer <lorin.beer....@gmail.com>
Subject Re: Whitelist defaults
Date Fri, 02 Nov 2012 17:55:27 GMT
I'm not suggesting that it's useless, I think we are talking about '*'
being the default, and adding documentation on securing your app.


BriBri Say

> The more I think about this the more I think the default should be * and
> the functionality should be opt in with strong language in the
> documentation recommending this as a part of securing the app for release.


yes, this. +1

If 99% of people don't care, leave it to the 1% that does develop banking
apps and other software that requires security.

On Fri, Nov 2, 2012 at 9:36 AM, Anis KADRI <anis.kadri@gmail.com> wrote:

> Just because you guys don't like/use it doesn't mean it is useless. There
> are multiple cases where you want to have an access control list [1] So
> many apps can benefit from this features (I am thinking banking apps,
> etc...).
>
> If you don't care about security or you're developing the next best social
> app (that opens links all over the place) then you can * everything.
> However, I am sure that there are people out there that care about security
> and want this feature. While not protecting your app from every possible
> attack it certainly doesn't hurt.
>
> I agree that this feature should be documented in the getting started guide
> as well.
>
> [1] http://www.w3.org/TR/widgets-access/
>
> On Fri, Nov 2, 2012 at 2:17 AM, Jesse <purplecabbage@gmail.com> wrote:
>
> > I am with Fil, I never use it, and the first thing I do is * it.
> >
> > I think it also gives developers the impression that they just load
> > arbitrary untrusted content into their apps, and the whitelist will
> > protect them.
> >
> > Untrusted content will always need to be sanitized, however, having
> > the whitelist even prevents use of the InAppBrowser ( formerly
> > ChildBrowser ) plugin for it's main use-case.
> > If I were to make a twitter client with cordova, I would have to * the
> > whitelist so I could load links without exiting, and I would still
> > have to sanitize the data ...
> >
> > What use cases are we enabling by having the whitelist?
> >
> >
> >
> >
> >
> > On Fri, Nov 2, 2012 at 12:27 AM, Brian LeRoux <b@brian.io> wrote:
> > > I feel its a good feature for a release time but not so during
> > development
> > > time. So what ends up happening is the thing gets *, forgotten about,
> and
> > > negates the usefulness.
> > >
> > > I'm in favor of opening it up and using docs to guide how ppl should
> > secure
> > > their app for release/production.
> > >
> > >
> > > On Thu, Nov 1, 2012 at 10:30 PM, Filip Maj <fil@adobe.com> wrote:
> > >
> > >> Personally I think the whitelist is pretty useless...
> > >>
> > >> On 11/1/12 7:32 PM, "Ken Wallis" <kwallis@rim.com> wrote:
> > >>
> > >> >Not sure why the BlackBerry version white lists everything. We don't
> do
> > >> >that in WebWorks ;)
> > >> >
> > >> >
> > >> >
> > >> >From: Steven Gill
> > >> >To: dev@cordova.apache.org
> > >> >Reply To: dev@cordova.apache.org
> > >> >Re: Whitelist defaults
> > >> >2012-11-01 10:30:42 PM
> > >> >
> > >> >
> > >> >
> > >> >+1 to point it out in the getting started guides.
> > >> >On Nov 1, 2012 6:35 PM, "Marcel Kinard" wrote:
> > >> >
> > >> >> Also sounds like a good step/topic in the "getting started" guides.
> > >> >>
> > >> >> -- Marcel Kinard
> > >> >>
> > >> >> On 11/1/2012 8:36 PM, Dave Johnson wrote:
> > >> >>
> > >> >>> Yup agree it should whitelist nothing but it also needs to
be very
> > >> >>>clear
> > >> >>> in
> > >> >>> the log when we block a request that it's due to the whitelist.
> > >> >>>
> > >> >>> On Thursday, November 1, 2012, Shazron wrote:
> > >> >>>
> > >> >>> I concur with Kevin. It won't be much of a whitelist if no
one
> uses
> > it
> > >> >>>> -- I
> > >> >>>> would argue that if you set it to "*" by default, no dev
will
> > >> >>>>(usually)
> > >> >>>> change that, especially if they don't know there is a
whitelist
> in
> > the
> > >> >>>> first place.
> > >> >>>>
> > >> >>>>
> > >> >>>> On Thu, Nov 1, 2012 at 4:48 PM, Kevin Hawkins <
> > >> >>>> kevin.hawkins.cordova@gmail.**com > wrote:
> > >> >>>>
> > >> >>>> From a security perspective, I'm partial to the iOS (nothing)
> > default,
> > >> >>>>> recognizing of course that there are certain usability
drawbacks
> > to
> > >> >>>>>that
> > >> >>>>> approach.
> > >> >>>>>
> > >> >>>>> On Thu, Nov 1, 2012 at 4:34 PM, Filip Maj >
> > >> >>>>>
> > >> >>>> wrote:
> > >> >>>>
> > >> >>>>> Quick q: how come Android + BB's whitelists by default
whitelist
> > >> >>>>>> everything (*), but iOS does the opposite (whitelist
nothing)?
> > >> >>>>>>
> > >> >>>>>> I'd like to see this unified across all platforms
we support.
> > >> >>>>>>
> > >> >>>>>>
> > >> >>>>>>
> > >> >>
> > >> >
> > >> >---------------------------------------------------------------------
> > >> >This transmission (including any attachments) may contain
> confidential
> > >> >information, privileged material (including material protected by the
> > >> >solicitor-client or other applicable privileges), or constitute
> > >> >non-public information. Any use of this information by anyone other
> > than
> > >> >the intended recipient is prohibited. If you have received this
> > >> >transmission in error, please immediately reply to the sender and
> > delete
> > >> >this information from your system. Use, dissemination, distribution,
> or
> > >> >reproduction of this transmission by unintended recipients is not
> > >> >authorized and may be unlawful.
> > >>
> > >>
> >
> >
> >
> > --
> > @purplecabbage
> > risingj.com
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message