cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: Whitelist defaults
Date Mon, 05 Nov 2012 23:11:11 GMT
We've had the discussion. So what is the decision/consensus? Leave as is,
or add "*" to default settings for all, with a warning in the console log?



On Fri, Nov 2, 2012 at 11:33 AM, Joe Bowser <bowserj@gmail.com> wrote:

> On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shazron@gmail.com> wrote:
> > Echoing Anis here. The easiest use case is for corporate use (internal),
> > where any connections are restricted to a certain domain for paranoid IT
> > types.
> >
> > I can see the case of us allowing everything _by default_ though (eg
> adding
> > the '*'), which really should have been the default so as to be
> "backwards
> > compatible" with how it was before the whitelist came in. The system
> could
> > detect this sole wildcard entry, and print out a warning in the console
> > log, as well as the documentation of course pointing this out -- the
> latter
> > which we should have done in the first place.
>
> OK, that sounds cool, but does that mean that in six months, we're
> going to deprecate this behaviour and get more aggressive with the
> whitelist?
>
> BTW: In the event that the whitelist isn't found based on the code
> that I'm looking at here, Android should block everything and fire
> default web intents.  If it's not doing this, that's a bug! When we
> refer to defaults, are we referring to the config.xml that we're
> circulating?
>
> Also, how are we testing this whitelisting feature? I can tell you
> that doing it in JS alone wouldn't be enough.
>
> Joe
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message