cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Mocny <mmo...@chromium.org>
Subject Re: [android] How to remove the automatic default of <access origin="*"/>
Date Tue, 03 Dec 2013 20:09:07 GMT
Tommy, absolutely the default should remain *, as I said.

But I hope we can agree that it should also be possible to override the
default without requiring hacks.  iOS already supports this, so its a
matter of feature parity.

-Michal


On Tue, Dec 3, 2013 at 2:57 PM, Tommy Williams <tommy@devgeeks.org> wrote:

> Please don't go back to when every new dev had to struggle with the Google
> group or irc to find out why their ajax requests didn't work.
>
> There was a huuuuge discussion at the time that we chose to default to *
> On 04/12/2013 6:03 am, "Michal Mocny" <mmocny@chromium.org> wrote:
>
> > On Tue, Dec 3, 2013 at 1:30 PM, Braden Shepherdson <braden@chromium.org
> > >wrote:
> >
> > > There are two different files here: one is defaults.xml, which the CLI
> > > takes as the basis for its platform config.xml. The other is the
> > config.xml
> > > that you get after running bin/create. In the CLI world, that second
> file
> > > is immediately overwritten by one created from defaults.xml, the
> > top-level
> > > app config.xml, etc.
> > >
> >
> > Okay, thats what I thought we were doing, but I cannot find where/how the
> > defaults.xml is created in the first place.  I see now that it does exist
> > in my CLI projects, but seems not to exist inside our platforms nor CLI,
> > nor can I find the code that generates it.
> >
> >
> > >
> > > I support the second point of removing the <access origin="*" /> from
> the
> > > CLI's hello world template app; it should be turned into a comment.
> > >
> >
> > Seems this is redundant anyway given that the platforms provide this as a
> > default.  Regarding leaving it in as a comment: should we embed the full
> > spec as a comment?  If not, I would just leave a general description and
> > link to the spec docs online.
> >
> >
> > > I don't think we should be including <access origin="*" /> by default
> > > anywhere, unless we really do want to disable the whitelist on that
> > > platform. And if we do want to disable it, why not in the native code
> > > instead of allowing everything by default?
> > >
> >
> > I remember about a year ago we had a bunch of talks regarding the default
> > whitelist, and decided that almost every developer doesn't want to use a
> > whitelist and wants every request to be allowed by default.  For those
> few
> > devs that want this (false?) sense of security they can learn how to
> > opt-in, instead of having the same question on the user lists over and
> over
> > about how to opt-out.
> >
> > Changing the platforms to allow * by default is an interesting idea, but
> I
> > would rather see a solution that doesn't need that change.  Plus its a
> bit
> > less semantic/declarative aka more magical/surprising.
> >
> >
> > >
> > > Braden
> > >
> > >
> > > On Tue, Dec 3, 2013 at 8:04 AM, Michal Mocny <mmocny@google.com>
> wrote:
> > >
> > > > On ios, the default config.xml file (aka the platform defaults) is
> > > bundled
> > > > as part of the ios project template, and the project template is easy
> > to
> > > > override using flags to create script / CLI config options.  Easy,
> > great.
> > > >
> > > > For android, the default config.xml file is bundled with the platform
> > > > framework itself and not as part of the project template.  I assume
> > this
> > > is
> > > > not easy to fix, otherwise we would have made the change already?
> > > >
> > > > Since the <access> tag is additive (i.e. cannot just override it
by
> > > > appending), there is no way to remove that default without reaching
> in
> > > and
> > > > editing cordova-android/framework/res/xml/config.xml file directly
> > > (either
> > > > with a custom post-platform-add hook to run sed, or by forking
> > > > cordova-android to change the default, both shitty options imho).
> > > >
> > > > Any suggestions on how to fix this?
> > > >
> > > > I was hoping to propose that we move the tag out of all the platform
> > > > templates and instead add it to the hello-world app template -- but I
> > > think
> > > > that won't work well with the platform-scripts workflow since that
> flow
> > > > doesn't use an application level config.xml at all right now.
> > > >
> > > >
> > > > Second, related issue: cordova-cli bundles a default application
> > > config.xml
> > > > file, which also includes <access origin="*"/>.  I think this is
just
> > > > unnecessary and should be removed.
> > > >
> > > >
> > > > -Michal
> > > >
> > > > p.s. as an aside, I thought we were moving the default platform
> > > config.xml
> > > > out into a file called "defaults.xml"?  It seems only the good folks
> at
> > > > blackberry have done that so far..
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message