cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jesse <purplecabb...@gmail.com>
Subject Re: Whitelist defaults
Date Mon, 05 Nov 2012 23:24:15 GMT
I have relaxed my position, as I can work around whatever the choice is.
It might be prudent to ask our users though.


On Mon, Nov 5, 2012 at 3:22 PM, Anis KADRI <anis.kadri@gmail.com> wrote:
> I guess the consensus is to whitelist everything (*) all the time.
>
> My opinion is that there should be some dev mode where (*) is set and then
> a release mode where you'd specify your hosts.
>
>
> On Mon, Nov 5, 2012 at 3:11 PM, Shazron <shazron@gmail.com> wrote:
>
>> We've had the discussion. So what is the decision/consensus? Leave as is,
>> or add "*" to default settings for all, with a warning in the console log?
>>
>>
>>
>> On Fri, Nov 2, 2012 at 11:33 AM, Joe Bowser <bowserj@gmail.com> wrote:
>>
>> > On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shazron@gmail.com> wrote:
>> > > Echoing Anis here. The easiest use case is for corporate use
>> (internal),
>> > > where any connections are restricted to a certain domain for paranoid
>> IT
>> > > types.
>> > >
>> > > I can see the case of us allowing everything _by default_ though (eg
>> > adding
>> > > the '*'), which really should have been the default so as to be
>> > "backwards
>> > > compatible" with how it was before the whitelist came in. The system
>> > could
>> > > detect this sole wildcard entry, and print out a warning in the console
>> > > log, as well as the documentation of course pointing this out -- the
>> > latter
>> > > which we should have done in the first place.
>> >
>> > OK, that sounds cool, but does that mean that in six months, we're
>> > going to deprecate this behaviour and get more aggressive with the
>> > whitelist?
>> >
>> > BTW: In the event that the whitelist isn't found based on the code
>> > that I'm looking at here, Android should block everything and fire
>> > default web intents.  If it's not doing this, that's a bug! When we
>> > refer to defaults, are we referring to the config.xml that we're
>> > circulating?
>> >
>> > Also, how are we testing this whitelisting feature? I can tell you
>> > that doing it in JS alone wouldn't be enough.
>> >
>> > Joe
>> >
>>



-- 
@purplecabbage
risingj.com

Mime
View raw message