cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jesse <purplecabb...@gmail.com>
Subject Re: Whitelist defaults
Date Fri, 02 Nov 2012 09:17:18 GMT
I am with Fil, I never use it, and the first thing I do is * it.

I think it also gives developers the impression that they just load
arbitrary untrusted content into their apps, and the whitelist will
protect them.

Untrusted content will always need to be sanitized, however, having
the whitelist even prevents use of the InAppBrowser ( formerly
ChildBrowser ) plugin for it's main use-case.
If I were to make a twitter client with cordova, I would have to * the
whitelist so I could load links without exiting, and I would still
have to sanitize the data ...

What use cases are we enabling by having the whitelist?





On Fri, Nov 2, 2012 at 12:27 AM, Brian LeRoux <b@brian.io> wrote:
> I feel its a good feature for a release time but not so during development
> time. So what ends up happening is the thing gets *, forgotten about, and
> negates the usefulness.
>
> I'm in favor of opening it up and using docs to guide how ppl should secure
> their app for release/production.
>
>
> On Thu, Nov 1, 2012 at 10:30 PM, Filip Maj <fil@adobe.com> wrote:
>
>> Personally I think the whitelist is pretty useless...
>>
>> On 11/1/12 7:32 PM, "Ken Wallis" <kwallis@rim.com> wrote:
>>
>> >Not sure why the BlackBerry version white lists everything. We don't do
>> >that in WebWorks ;)
>> >
>> >
>> >
>> >From: Steven Gill
>> >To: dev@cordova.apache.org
>> >Reply To: dev@cordova.apache.org
>> >Re: Whitelist defaults
>> >2012-11-01 10:30:42 PM
>> >
>> >
>> >
>> >+1 to point it out in the getting started guides.
>> >On Nov 1, 2012 6:35 PM, "Marcel Kinard" wrote:
>> >
>> >> Also sounds like a good step/topic in the "getting started" guides.
>> >>
>> >> -- Marcel Kinard
>> >>
>> >> On 11/1/2012 8:36 PM, Dave Johnson wrote:
>> >>
>> >>> Yup agree it should whitelist nothing but it also needs to be very
>> >>>clear
>> >>> in
>> >>> the log when we block a request that it's due to the whitelist.
>> >>>
>> >>> On Thursday, November 1, 2012, Shazron wrote:
>> >>>
>> >>> I concur with Kevin. It won't be much of a whitelist if no one uses
it
>> >>>> -- I
>> >>>> would argue that if you set it to "*" by default, no dev will
>> >>>>(usually)
>> >>>> change that, especially if they don't know there is a whitelist
in the
>> >>>> first place.
>> >>>>
>> >>>>
>> >>>> On Thu, Nov 1, 2012 at 4:48 PM, Kevin Hawkins <
>> >>>> kevin.hawkins.cordova@gmail.**com > wrote:
>> >>>>
>> >>>> From a security perspective, I'm partial to the iOS (nothing) default,
>> >>>>> recognizing of course that there are certain usability drawbacks
to
>> >>>>>that
>> >>>>> approach.
>> >>>>>
>> >>>>> On Thu, Nov 1, 2012 at 4:34 PM, Filip Maj >
>> >>>>>
>> >>>> wrote:
>> >>>>
>> >>>>> Quick q: how come Android + BB's whitelists by default whitelist
>> >>>>>> everything (*), but iOS does the opposite (whitelist nothing)?
>> >>>>>>
>> >>>>>> I'd like to see this unified across all platforms we support.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>
>> >
>> >---------------------------------------------------------------------
>> >This transmission (including any attachments) may contain confidential
>> >information, privileged material (including material protected by the
>> >solicitor-client or other applicable privileges), or constitute
>> >non-public information. Any use of this information by anyone other than
>> >the intended recipient is prohibited. If you have received this
>> >transmission in error, please immediately reply to the sender and delete
>> >this information from your system. Use, dissemination, distribution, or
>> >reproduction of this transmission by unintended recipients is not
>> >authorized and may be unlawful.
>>
>>



-- 
@purplecabbage
risingj.com

Mime
View raw message