cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy-Carlos Williams <>
Subject Re: [android] How to remove the automatic default of <access origin="*"/>
Date Tue, 03 Dec 2013 20:13:49 GMT
Absolutely agree.

+1 for * as default, but just as importantly, +1 for never having to hax inside ./platforms/**/*
for this stuff.

We are already forced to use hooks to enforce ./platforms as a build artefact. Any progress
towards the great goal of being able to safely .gitignore the platforms make me feel warm
and fuzzy. ;)

On 4 Dec 2013, at 7:09 am, Michal Mocny <> wrote:

> Tommy, absolutely the default should remain *, as I said.
> But I hope we can agree that it should also be possible to override the
> default without requiring hacks.  iOS already supports this, so its a
> matter of feature parity.
> -Michal
> On Tue, Dec 3, 2013 at 2:57 PM, Tommy Williams <> wrote:
>> Please don't go back to when every new dev had to struggle with the Google
>> group or irc to find out why their ajax requests didn't work.
>> There was a huuuuge discussion at the time that we chose to default to *
>> On 04/12/2013 6:03 am, "Michal Mocny" <> wrote:
>>> On Tue, Dec 3, 2013 at 1:30 PM, Braden Shepherdson <
>>>> wrote:
>>>> There are two different files here: one is defaults.xml, which the CLI
>>>> takes as the basis for its platform config.xml. The other is the
>>> config.xml
>>>> that you get after running bin/create. In the CLI world, that second
>> file
>>>> is immediately overwritten by one created from defaults.xml, the
>>> top-level
>>>> app config.xml, etc.
>>> Okay, thats what I thought we were doing, but I cannot find where/how the
>>> defaults.xml is created in the first place.  I see now that it does exist
>>> in my CLI projects, but seems not to exist inside our platforms nor CLI,
>>> nor can I find the code that generates it.
>>>> I support the second point of removing the <access origin="*" /> from
>> the
>>>> CLI's hello world template app; it should be turned into a comment.
>>> Seems this is redundant anyway given that the platforms provide this as a
>>> default.  Regarding leaving it in as a comment: should we embed the full
>>> spec as a comment?  If not, I would just leave a general description and
>>> link to the spec docs online.
>>>> I don't think we should be including <access origin="*" /> by default
>>>> anywhere, unless we really do want to disable the whitelist on that
>>>> platform. And if we do want to disable it, why not in the native code
>>>> instead of allowing everything by default?
>>> I remember about a year ago we had a bunch of talks regarding the default
>>> whitelist, and decided that almost every developer doesn't want to use a
>>> whitelist and wants every request to be allowed by default.  For those
>> few
>>> devs that want this (false?) sense of security they can learn how to
>>> opt-in, instead of having the same question on the user lists over and
>> over
>>> about how to opt-out.
>>> Changing the platforms to allow * by default is an interesting idea, but
>> I
>>> would rather see a solution that doesn't need that change.  Plus its a
>> bit
>>> less semantic/declarative aka more magical/surprising.
>>>> Braden
>>>> On Tue, Dec 3, 2013 at 8:04 AM, Michal Mocny <>
>> wrote:
>>>>> On ios, the default config.xml file (aka the platform defaults) is
>>>> bundled
>>>>> as part of the ios project template, and the project template is easy
>>> to
>>>>> override using flags to create script / CLI config options.  Easy,
>>> great.
>>>>> For android, the default config.xml file is bundled with the platform
>>>>> framework itself and not as part of the project template.  I assume
>>> this
>>>> is
>>>>> not easy to fix, otherwise we would have made the change already?
>>>>> Since the <access> tag is additive (i.e. cannot just override it
>>>>> appending), there is no way to remove that default without reaching
>> in
>>>> and
>>>>> editing cordova-android/framework/res/xml/config.xml file directly
>>>> (either
>>>>> with a custom post-platform-add hook to run sed, or by forking
>>>>> cordova-android to change the default, both shitty options imho).
>>>>> Any suggestions on how to fix this?
>>>>> I was hoping to propose that we move the tag out of all the platform
>>>>> templates and instead add it to the hello-world app template -- but I
>>>> think
>>>>> that won't work well with the platform-scripts workflow since that
>> flow
>>>>> doesn't use an application level config.xml at all right now.
>>>>> Second, related issue: cordova-cli bundles a default application
>>>> config.xml
>>>>> file, which also includes <access origin="*"/>.  I think this is
>>>>> unnecessary and should be removed.
>>>>> -Michal
>>>>> p.s. as an aside, I thought we were moving the default platform
>>>> config.xml
>>>>> out into a file called "defaults.xml"?  It seems only the good folks
>> at
>>>>> blackberry have done that so far..

View raw message