Return-Path: 
 <dev-return-43224-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0903F17C77
	for <apmail-cordova-dev-archive@www.apache.org>;
 Tue,  3 Mar 2015 16:23:31 +0000 (UTC)
Received: (qmail 61521 invoked by uid 500); 3 Mar 2015 16:23:30 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 61444 invoked by uid 500); 3 Mar 2015 16:23:30 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 61417 invoked by uid 99); 3 Mar 2015 16:23:30 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 16:23:30 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of mmocny@google.com designates
 209.85.220.173 as permitted sender)
Received: from [209.85.220.173] (HELO mail-vc0-f173.google.com)
 (209.85.220.173)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 16:23:26 +0000
Received: by mail-vc0-f173.google.com with SMTP id hy10so3525383vcb.4
        for <dev@cordova.apache.org>; Tue, 03 Mar 2015 08:23:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=g/bwnoLhIMZVqoR6yl1NGQ5IM+76oyNEXbp2x38BMyA=;
        b=dphd/EQn2S9Q+hkqIZs8j0W6m0ldZLCT8xzgVrRHsmoGILw8rimH9ZbTExOmupTNdY
         fDVJYflz8TXbIfUaANJmrhfh366jUpg6NAVQRMYe0aPkpWYT0MG9ZLkEXLpbLmRRH0kO
         qxLyoZViy1IaGAL9ob0HdA2VZNt2/Knrpg4OPw6PnvyrtX/LcWngpmpUwcDyxdzkeCKu
         PkIDxxUZWVHClp6Zj2W12vSGXv+xTh5jPO2urDEar3K2bC8N0JAqdtueuWOF67H61Rln
         DrPNEPpkUkQ8gaqIHp7MKWzyADP6FfcpKYuFKdT9tqBfdB5bwp9N7LAWw8oC6f679HXr
         n8KA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=g/bwnoLhIMZVqoR6yl1NGQ5IM+76oyNEXbp2x38BMyA=;
        b=XqRe62AFb3WY+4lv8m4qDy9cU50GbPJ5HOUAs0UMkJYrluAHJcxfdgDYuDoExVgvhD
         kSs/ObRW+ZcEOHMn4bjnhogF5ImeT/v7hBHaD7Q6B4Up1ehqnnpc1BjEzn5kuZeFbhAu
         tmM5gALO+HjMINRnNw36bdx8wGTnokbEWy3WI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:content-type;
        bh=g/bwnoLhIMZVqoR6yl1NGQ5IM+76oyNEXbp2x38BMyA=;
        b=jJU3Kco19VqgR8yiERWhbEi2jvJlLqwcJ2ctbXwcpPr7d1iE1Q0FVWN/BpuHgmDZAJ
         WzMEa5H4a1z13b4ThPaVNXk3tqnmD84O7EPCtSZnk8kmegTalsN63ioCiGtFIfr4QSYU
         yvc0exJBZQNWzvuJr0NGxetQkFaqfoQoI46ZOQ1A/V2GWF6F7RCJQkmdKzBL6foDfBu3
         nuSyLZOekwirMaCHD0CmGHNHgXrlXmOb8sVijpvJjh1UmtE4FZYhv1XfNW8JTlhaiivk
         Flim5tLqMWpCEriHFtvPv1A4v+v8nfefIIbCmZhvI7IeL8wpmTVUV0jidFN8rukokouv
         UGaA==
X-Gm-Message-State: 
 ALoCoQl2Ho/+WljKhRE5l8sfkx+j0icc+Ta+2dl2TiGldJIPdxVUsoJzIbRzYbJQ0nRRhev2c9/r
X-Received: by 10.52.115.163 with SMTP id jp3mr13875452vdb.78.1425399785524;
 Tue, 03 Mar 2015 08:23:05 -0800 (PST)
MIME-Version: 1.0
Sender: mmocny@google.com
Received: by 10.52.1.229 with HTTP; Tue, 3 Mar 2015 08:22:45 -0800 (PST)
In-Reply-To: 
 <CABiQX1WEhoOyXngbHmyhqLHK_yfbMv3RKH=g8ms-KLy8ZKs6QA@mail.gmail.com>
References: 
 <CABiQX1WEhoOyXngbHmyhqLHK_yfbMv3RKH=g8ms-KLy8ZKs6QA@mail.gmail.com>
From: Michal Mocny <mmocny@chromium.org>
Date: Tue, 3 Mar 2015 11:22:45 -0500
X-Google-Sender-Auth: OI2foYjLL571CFBFf3gKDCySXSE
Message-ID: 
 <CAEeF2TdXe8=UCsomQyBMBOpnQ+RbXpi=0WGk79Zn8T+1oi4aOg@mail.gmail.com>
Subject: Re: Android's new Whitelist Plugins
To: dev <dev@cordova.apache.org>
Content-Type: multipart/alternative; boundary=bcaec547c675e12dc1051064bf89
X-Virus-Checked: Checked by ClamAV on apache.org

--bcaec547c675e12dc1051064bf89
Content-Type: text/plain; charset=UTF-8

My thoughts:

- The split between <allow-navigation>, <allow-intent>, and <access>: Like
it a lot.
- I think the defaults *for the plugin* are very reasonable.  However, we
may want to provide a default set of tags for the hello world app.  A year
or so ago we added a default access * whitelist and I think maybe we should
continue that.  (on the other hand, I've gotten used to explicitly
whitelisting every url as part of chrome packaged app development and its
not so bad).
  - Additionally, that means this plugin should be installed by default.
As we discussed this morning, with the new plugin --save functionality we
could just add this to the helloworld config.xml, I think!
- Do you really need a CSP meta tag *and* <access> declarations?   Thats
what the README.md implies, but I would assume CSP trumps?

-Michal

On Mon, Mar 2, 2015 at 9:38 PM, Andrew Grieve <agrieve@chromium.org> wrote:

> I've tried to explain it in the plugin's readme:
>
> https://github.com/apache/cordova-plugins/tree/master/url-policy
>
> Some points for discussion:
> - What should the default behaviour be for the three whitelists (what
> should happen if not whitelist plugin is installed).
>   - right now it can't open external URLs
>   - and can't do XHRs to http(s)
> - Is the plugin name decent ("url-policy"). We should make a dedicated git
> repo for it (as well as for legacy-whitelist plugin)
>

--bcaec547c675e12dc1051064bf89--