cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Mocny <mmo...@chromium.org>
Subject Re: Android's new Whitelist Plugins
Date Tue, 03 Mar 2015 18:12:08 GMT
(Added this note:
https://github.com/apache/cordova-plugins/commit/3ed17046ea7efaeccda4c4ffe82bb351e8b966f1,
let me know if its inacurate).

-Michal

On Tue, Mar 3, 2015 at 1:06 PM, Michal Mocny <mmocny@chromium.org> wrote:

> Ah, the bit about <access> being mostly useful for pre-kitkat was context
> I was missing.  Seems important to note at the start of the section.  I'll
> update the README.
>
> On Tue, Mar 3, 2015 at 1:02 PM, Andrew Grieve <agrieve@chromium.org>
> wrote:
>
>> Like your ideas a lot. Updating the project template makes a lot of sense.
>>
>> Tried to make it clear in the README, so if any part was not clear please
>> fix it. But, the CSP tag is the more important bit, since <access> can't
>> actually block all requests. The only reason to even leave <access> in
>> there is to support pre-kitkat webviews, where no CSP support exists. CSP
>> is also used to set a navigation whitelist for subframes, which the native
>> side is not able to do.
>>
>> On Tue, Mar 3, 2015 at 11:22 AM, Michal Mocny <mmocny@chromium.org>
>> wrote:
>>
>> > My thoughts:
>> >
>> > - The split between <allow-navigation>, <allow-intent>, and <access>:
>> Like
>> > it a lot.
>> > - I think the defaults *for the plugin* are very reasonable.  However,
>> we
>> > may want to provide a default set of tags for the hello world app.  A
>> year
>> > or so ago we added a default access * whitelist and I think maybe we
>> should
>> > continue that.  (on the other hand, I've gotten used to explicitly
>> > whitelisting every url as part of chrome packaged app development and
>> its
>> > not so bad).
>> >   - Additionally, that means this plugin should be installed by default.
>> > As we discussed this morning, with the new plugin --save functionality
>> we
>> > could just add this to the helloworld config.xml, I think!
>> > - Do you really need a CSP meta tag *and* <access> declarations?   Thats
>> > what the README.md implies, but I would assume CSP trumps?
>> >
>> > -Michal
>> >
>> > On Mon, Mar 2, 2015 at 9:38 PM, Andrew Grieve <agrieve@chromium.org>
>> > wrote:
>> >
>> > > I've tried to explain it in the plugin's readme:
>> > >
>> > > https://github.com/apache/cordova-plugins/tree/master/url-policy
>> > >
>> > > Some points for discussion:
>> > > - What should the default behaviour be for the three whitelists (what
>> > > should happen if not whitelist plugin is installed).
>> > >   - right now it can't open external URLs
>> > >   - and can't do XHRs to http(s)
>> > > - Is the plugin name decent ("url-policy"). We should make a dedicated
>> > git
>> > > repo for it (as well as for legacy-whitelist plugin)
>> > >
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message