cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Braden Shepherdson <>
Subject Re: [android] How to remove the automatic default of <access origin="*"/>
Date Tue, 03 Dec 2013 18:30:26 GMT
There are two different files here: one is defaults.xml, which the CLI
takes as the basis for its platform config.xml. The other is the config.xml
that you get after running bin/create. In the CLI world, that second file
is immediately overwritten by one created from defaults.xml, the top-level
app config.xml, etc.

I support the second point of removing the <access origin="*" /> from the
CLI's hello world template app; it should be turned into a comment.

I don't think we should be including <access origin="*" /> by default
anywhere, unless we really do want to disable the whitelist on that
platform. And if we do want to disable it, why not in the native code
instead of allowing everything by default?


On Tue, Dec 3, 2013 at 8:04 AM, Michal Mocny <> wrote:

> On ios, the default config.xml file (aka the platform defaults) is bundled
> as part of the ios project template, and the project template is easy to
> override using flags to create script / CLI config options.  Easy, great.
> For android, the default config.xml file is bundled with the platform
> framework itself and not as part of the project template.  I assume this is
> not easy to fix, otherwise we would have made the change already?
> Since the <access> tag is additive (i.e. cannot just override it by
> appending), there is no way to remove that default without reaching in and
> editing cordova-android/framework/res/xml/config.xml file directly (either
> with a custom post-platform-add hook to run sed, or by forking
> cordova-android to change the default, both shitty options imho).
> Any suggestions on how to fix this?
> I was hoping to propose that we move the tag out of all the platform
> templates and instead add it to the hello-world app template -- but I think
> that won't work well with the platform-scripts workflow since that flow
> doesn't use an application level config.xml at all right now.
> Second, related issue: cordova-cli bundles a default application config.xml
> file, which also includes <access origin="*"/>.  I think this is just
> unnecessary and should be removed.
> -Michal
> p.s. as an aside, I thought we were moving the default platform config.xml
> out into a file called "defaults.xml"?  It seems only the good folks at
> blackberry have done that so far..

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message