Return-Path: 
 <dev-return-16592-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 848D3DEAF
	for <apmail-cordova-dev-archive@www.apache.org>;
 Mon,  5 Nov 2012 23:31:56 +0000 (UTC)
Received: (qmail 62608 invoked by uid 500); 5 Nov 2012 23:31:56 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 62581 invoked by uid 500); 5 Nov 2012 23:31:56 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 62573 invoked by uid 99); 5 Nov 2012 23:31:56 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Nov 2012 23:31:56 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of
 kevin.hawkins.cordova@gmail.com designates 209.85.212.177 as permitted
 sender)
Received: from [209.85.212.177] (HELO mail-wi0-f177.google.com)
 (209.85.212.177)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Nov 2012 23:31:49 +0000
Received: by mail-wi0-f177.google.com with SMTP id hj13so2702090wib.0
        for <dev@cordova.apache.org>; Mon, 05 Nov 2012 15:31:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=5kKA2slcMRyWErwAlXAu9ofuZ48aLvtPVhdd4ziO7hg=;
        b=dWlsj7AbSXDwF6iqdaLIcMwqzv3viUgBdSar9GdhJGEHdOEa8PMcVJelzxMf6heT7w
         gHolAcUinkUuBtUhNd1stlQYaqssfiSM170ApKCxVWKXqGt8BeC/9l7dhnETT8lma5gf
         UZgAfnK1980PqZo7oCLLhGuOFDUoJYV518SoFzNTnrva52UuLUoCIOr7LjLsbxzY6XKq
         VDxNtXVudmFUJtTzpJzC81n2a50Q/lcc6efneJnnCKS/b4RFZV6u2TgltkEjxhgdeTi/
         PXIGYTMksZRW+J/7ediJzpYEZsvAz+IZ/PxemTwNHn10GG7BUABnXCpky5fL/Qpa7HGb
         qi9w==
MIME-Version: 1.0
Received: by 10.180.77.38 with SMTP id p6mr15560461wiw.1.1352158288469; Mon,
 05 Nov 2012 15:31:28 -0800 (PST)
Received: by 10.194.13.137 with HTTP; Mon, 5 Nov 2012 15:31:28 -0800 (PST)
In-Reply-To: 
 <CANpVHHyqvv4sdi18mDoe8THYabCMbgCfRbqCztZ01LnmPb+QsQ@mail.gmail.com>
References: <20121102023230.7774340.57294.351@rim.com>
	<CCB8A863.10AB4%fil@adobe.com>
	<CADVgkyP9NbhGeiG_Pnk=CmMZBeYxbr32fDRbLqY++TgYbvYe1Q@mail.gmail.com>
	<CAKP6k2sG3WbGi5cARt-JOv0JcdzkGmC+5WRG7=5cBug=78Qg9w@mail.gmail.com>
	<CANpVHHyqo5wS-T2oAYdOogGZPw9fh1qSrnN+Pa+H48sL+NgL+w@mail.gmail.com>
	<CAE6O_-bE-8hZ02Rph538_DWn9mwJowbLFb1U9Om3jHLhsL_HSQ@mail.gmail.com>
	<CAOBL_k4q2K+Ggnt3PUi4tA55JtYo3h+yaVM1xqNCRcXYpoXZ-g@mail.gmail.com>
	<CAE6O_-b__2rkXTXc=05wCk=FQ4NcQrMkUmiSw+BFMmz9LJkbFw@mail.gmail.com>
	<CANpVHHyqvv4sdi18mDoe8THYabCMbgCfRbqCztZ01LnmPb+QsQ@mail.gmail.com>
Date: Mon, 5 Nov 2012 15:31:28 -0800
Message-ID: 
 <CAMNA1ngPuJ6H2gK_72FiwG=8cumLq99HaqFvDMXBupTxyPvjrg@mail.gmail.com>
Subject: Re: Whitelist defaults
From: Kevin Hawkins <kevin.hawkins.cordova@gmail.com>
To: dev@cordova.apache.org
Content-Type: multipart/alternative; boundary=f46d043c7b4276e05904cdc7e249
X-Virus-Checked: Checked by ClamAV on apache.org

--f46d043c7b4276e05904cdc7e249
Content-Type: text/plain; charset=ISO-8859-1

In our customizations of our Cordova app, that's exactly what we did.  We
created a Cordova-Debug.plist and Cordova-Release.plist, and synced them
back to Cordova.plist as a Build Phase step.  I don't know that it's the
default behavior the Cordova community would want for template apps, but it
is doable anyway.

On Mon, Nov 5, 2012 at 3:22 PM, Anis KADRI <anis.kadri@gmail.com> wrote:

> I guess the consensus is to whitelist everything (*) all the time.
>
> My opinion is that there should be some dev mode where (*) is set and then
> a release mode where you'd specify your hosts.
>
>
> On Mon, Nov 5, 2012 at 3:11 PM, Shazron <shazron@gmail.com> wrote:
>
> > We've had the discussion. So what is the decision/consensus? Leave as is,
> > or add "*" to default settings for all, with a warning in the console
> log?
> >
> >
> >
> > On Fri, Nov 2, 2012 at 11:33 AM, Joe Bowser <bowserj@gmail.com> wrote:
> >
> > > On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shazron@gmail.com> wrote:
> > > > Echoing Anis here. The easiest use case is for corporate use
> > (internal),
> > > > where any connections are restricted to a certain domain for paranoid
> > IT
> > > > types.
> > > >
> > > > I can see the case of us allowing everything _by default_ though (eg
> > > adding
> > > > the '*'), which really should have been the default so as to be
> > > "backwards
> > > > compatible" with how it was before the whitelist came in. The system
> > > could
> > > > detect this sole wildcard entry, and print out a warning in the
> console
> > > > log, as well as the documentation of course pointing this out -- the
> > > latter
> > > > which we should have done in the first place.
> > >
> > > OK, that sounds cool, but does that mean that in six months, we're
> > > going to deprecate this behaviour and get more aggressive with the
> > > whitelist?
> > >
> > > BTW: In the event that the whitelist isn't found based on the code
> > > that I'm looking at here, Android should block everything and fire
> > > default web intents.  If it's not doing this, that's a bug! When we
> > > refer to defaults, are we referring to the config.xml that we're
> > > circulating?
> > >
> > > Also, how are we testing this whitelisting feature? I can tell you
> > > that doing it in JS alone wouldn't be enough.
> > >
> > > Joe
> > >
> >
>

--f46d043c7b4276e05904cdc7e249--