cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anis KADRI <anis.ka...@gmail.com>
Subject Re: Whitelist defaults
Date Fri, 02 Nov 2012 16:36:47 GMT
Just because you guys don't like/use it doesn't mean it is useless. There
are multiple cases where you want to have an access control list [1] So
many apps can benefit from this features (I am thinking banking apps,
etc...).

If you don't care about security or you're developing the next best social
app (that opens links all over the place) then you can * everything.
However, I am sure that there are people out there that care about security
and want this feature. While not protecting your app from every possible
attack it certainly doesn't hurt.

I agree that this feature should be documented in the getting started guide
as well.

[1] http://www.w3.org/TR/widgets-access/

On Fri, Nov 2, 2012 at 2:17 AM, Jesse <purplecabbage@gmail.com> wrote:

> I am with Fil, I never use it, and the first thing I do is * it.
>
> I think it also gives developers the impression that they just load
> arbitrary untrusted content into their apps, and the whitelist will
> protect them.
>
> Untrusted content will always need to be sanitized, however, having
> the whitelist even prevents use of the InAppBrowser ( formerly
> ChildBrowser ) plugin for it's main use-case.
> If I were to make a twitter client with cordova, I would have to * the
> whitelist so I could load links without exiting, and I would still
> have to sanitize the data ...
>
> What use cases are we enabling by having the whitelist?
>
>
>
>
>
> On Fri, Nov 2, 2012 at 12:27 AM, Brian LeRoux <b@brian.io> wrote:
> > I feel its a good feature for a release time but not so during
> development
> > time. So what ends up happening is the thing gets *, forgotten about, and
> > negates the usefulness.
> >
> > I'm in favor of opening it up and using docs to guide how ppl should
> secure
> > their app for release/production.
> >
> >
> > On Thu, Nov 1, 2012 at 10:30 PM, Filip Maj <fil@adobe.com> wrote:
> >
> >> Personally I think the whitelist is pretty useless...
> >>
> >> On 11/1/12 7:32 PM, "Ken Wallis" <kwallis@rim.com> wrote:
> >>
> >> >Not sure why the BlackBerry version white lists everything. We don't do
> >> >that in WebWorks ;)
> >> >
> >> >
> >> >
> >> >From: Steven Gill
> >> >To: dev@cordova.apache.org
> >> >Reply To: dev@cordova.apache.org
> >> >Re: Whitelist defaults
> >> >2012-11-01 10:30:42 PM
> >> >
> >> >
> >> >
> >> >+1 to point it out in the getting started guides.
> >> >On Nov 1, 2012 6:35 PM, "Marcel Kinard" wrote:
> >> >
> >> >> Also sounds like a good step/topic in the "getting started" guides.
> >> >>
> >> >> -- Marcel Kinard
> >> >>
> >> >> On 11/1/2012 8:36 PM, Dave Johnson wrote:
> >> >>
> >> >>> Yup agree it should whitelist nothing but it also needs to be very
> >> >>>clear
> >> >>> in
> >> >>> the log when we block a request that it's due to the whitelist.
> >> >>>
> >> >>> On Thursday, November 1, 2012, Shazron wrote:
> >> >>>
> >> >>> I concur with Kevin. It won't be much of a whitelist if no one
uses
> it
> >> >>>> -- I
> >> >>>> would argue that if you set it to "*" by default, no dev will
> >> >>>>(usually)
> >> >>>> change that, especially if they don't know there is a whitelist
in
> the
> >> >>>> first place.
> >> >>>>
> >> >>>>
> >> >>>> On Thu, Nov 1, 2012 at 4:48 PM, Kevin Hawkins <
> >> >>>> kevin.hawkins.cordova@gmail.**com > wrote:
> >> >>>>
> >> >>>> From a security perspective, I'm partial to the iOS (nothing)
> default,
> >> >>>>> recognizing of course that there are certain usability
drawbacks
> to
> >> >>>>>that
> >> >>>>> approach.
> >> >>>>>
> >> >>>>> On Thu, Nov 1, 2012 at 4:34 PM, Filip Maj >
> >> >>>>>
> >> >>>> wrote:
> >> >>>>
> >> >>>>> Quick q: how come Android + BB's whitelists by default
whitelist
> >> >>>>>> everything (*), but iOS does the opposite (whitelist
nothing)?
> >> >>>>>>
> >> >>>>>> I'd like to see this unified across all platforms we
support.
> >> >>>>>>
> >> >>>>>>
> >> >>>>>>
> >> >>
> >> >
> >> >---------------------------------------------------------------------
> >> >This transmission (including any attachments) may contain confidential
> >> >information, privileged material (including material protected by the
> >> >solicitor-client or other applicable privileges), or constitute
> >> >non-public information. Any use of this information by anyone other
> than
> >> >the intended recipient is prohibited. If you have received this
> >> >transmission in error, please immediately reply to the sender and
> delete
> >> >this information from your system. Use, dissemination, distribution, or
> >> >reproduction of this transmission by unintended recipients is not
> >> >authorized and may be unlawful.
> >>
> >>
>
>
>
> --
> @purplecabbage
> risingj.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message