cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: Whitelist defaults
Date Mon, 05 Nov 2012 23:26:52 GMT
Well it's all or nothing. There is no "dev" mode with respect to the plist
itself as it is right now, unless we want to add yet another plist property.


On Mon, Nov 5, 2012 at 3:22 PM, Anis KADRI <anis.kadri@gmail.com> wrote:

> I guess the consensus is to whitelist everything (*) all the time.
>
> My opinion is that there should be some dev mode where (*) is set and then
> a release mode where you'd specify your hosts.
>
>
> On Mon, Nov 5, 2012 at 3:11 PM, Shazron <shazron@gmail.com> wrote:
>
> > We've had the discussion. So what is the decision/consensus? Leave as is,
> > or add "*" to default settings for all, with a warning in the console
> log?
> >
> >
> >
> > On Fri, Nov 2, 2012 at 11:33 AM, Joe Bowser <bowserj@gmail.com> wrote:
> >
> > > On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shazron@gmail.com> wrote:
> > > > Echoing Anis here. The easiest use case is for corporate use
> > (internal),
> > > > where any connections are restricted to a certain domain for paranoid
> > IT
> > > > types.
> > > >
> > > > I can see the case of us allowing everything _by default_ though (eg
> > > adding
> > > > the '*'), which really should have been the default so as to be
> > > "backwards
> > > > compatible" with how it was before the whitelist came in. The system
> > > could
> > > > detect this sole wildcard entry, and print out a warning in the
> console
> > > > log, as well as the documentation of course pointing this out -- the
> > > latter
> > > > which we should have done in the first place.
> > >
> > > OK, that sounds cool, but does that mean that in six months, we're
> > > going to deprecate this behaviour and get more aggressive with the
> > > whitelist?
> > >
> > > BTW: In the event that the whitelist isn't found based on the code
> > > that I'm looking at here, Android should block everything and fire
> > > default web intents.  If it's not doing this, that's a bug! When we
> > > refer to defaults, are we referring to the config.xml that we're
> > > circulating?
> > >
> > > Also, how are we testing this whitelisting feature? I can tell you
> > > that doing it in JS alone wouldn't be enough.
> > >
> > > Joe
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message