Return-Path: 
 <dev-return-43247-apmail-cordova-dev-archive=cordova.apache.org@cordova.apache.org>
X-Original-To: apmail-cordova-dev-archive@www.apache.org
Delivered-To: apmail-cordova-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 349F910202
	for <apmail-cordova-dev-archive@www.apache.org>;
 Tue,  3 Mar 2015 18:12:59 +0000 (UTC)
Received: (qmail 66061 invoked by uid 500); 3 Mar 2015 18:12:55 -0000
Delivered-To: apmail-cordova-dev-archive@cordova.apache.org
Received: (qmail 66018 invoked by uid 500); 3 Mar 2015 18:12:55 -0000
Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cordova.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cordova.apache.org>
List-Post: <mailto:dev@cordova.apache.org>
List-Id: <dev.cordova.apache.org>
Reply-To: dev@cordova.apache.org
Delivered-To: mailing list dev@cordova.apache.org
Received: (qmail 66002 invoked by uid 99); 3 Mar 2015 18:12:55 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 18:12:55 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of mmocny@google.com designates
 209.85.220.169 as permitted sender)
Received: from [209.85.220.169] (HELO mail-vc0-f169.google.com)
 (209.85.220.169)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 18:12:30 +0000
Received: by mail-vc0-f169.google.com with SMTP id im6so6163982vcb.0
        for <dev@cordova.apache.org>; Tue, 03 Mar 2015 10:12:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Z3VML3q/vEcSRU9U4iDmPP10c6UNjc6od5ZeKLG2WN4=;
        b=QVm8PDJGe0QjxEJGz9WMjkBEeSWqniNUI56+WFcsMSC4Af86x7N1l3OM5m1c1nmh5U
         i0Tea2FWyjTNvZb6kHj2c2Egtr+HePxvW9zrrq5wpeVmeMrRVjF++WxwGSXqS2N+5ELR
         wePoL8frE5txk45TNV//TqhiVJkSxPQmvjYFfyk8LTIUFBqyy40xvgzLKMT8cSRqwoRU
         AWmj8q3IiwXI6s1cgzRQFP3unJn0JhfNXAmoJg5j5H+XgoRsn9IAozUJoL/NTg6DL0JM
         QbEV9ksAq0XjRYq8Ccs0T2fK+YRHdMWJ7OB5F2sO026DdWgBx1Lt4MvKi4y++oBhsXpk
         fyvw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Z3VML3q/vEcSRU9U4iDmPP10c6UNjc6od5ZeKLG2WN4=;
        b=WbXg04VH3xwXBrtO/nLOQC6TNUT2OQ6mM7JbHzL2/BzmzUTisUvcs7CNyM0IdT6lxl
         l+DtnJBdtqrv8gvdz7WVx/WT0cwhwQ73DXkgSMgvfX9zXwW7olfa46uteRSCBWqjimC1
         juCibh5OlwTNqcUigXbmUy0GQuIMj3AbS/rI4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=Z3VML3q/vEcSRU9U4iDmPP10c6UNjc6od5ZeKLG2WN4=;
        b=QFiPcEJlBykkQtfhD437Aj8Bqotxdc03VSDgeCkvHGJOyVkNkFU2e0UTP7tA6WLLUR
         Ycz6jg+iN3qM6v88/Ny27ESs2bEnw6k8d7yd+5iFPnbv87QPPFGo57of8C4SlyUM7Eeu
         RJ524b+e0vLdfEy+GTDMjqV/aUFEJ83nKgeHoxNCXyPvsEebxEto7keIEdhBV0P7j7kn
         dm4z5d/gjUHcaqpmhUuoEpp+LcYYzic+GMGjvzbwprYfpRyWh2pUzDcLeMu70Z+iVWMu
         KGGLCfHjysESUFQPII/cdWiZ21E2v5A1bvrTKYox3G3k7kaoEYjjHwIywVA2+Pwfw7UI
         FTYw==
X-Gm-Message-State: 
 ALoCoQmaGHm8mVguM4i2vGL94z9tpTg2SOIaItTonONRpltotpa45OY8GE1MT2QhVbMmMiWLSKVn
X-Received: by 10.52.120.83 with SMTP id la19mr206738vdb.34.1425406348368;
 Tue, 03 Mar 2015 10:12:28 -0800 (PST)
MIME-Version: 1.0
Sender: mmocny@google.com
Received: by 10.52.1.229 with HTTP; Tue, 3 Mar 2015 10:12:08 -0800 (PST)
In-Reply-To: 
 <CAEeF2TfitRUCja2XErjPyzGT7CeQEjVLm=TE=5QnZK9G=N=fLA@mail.gmail.com>
References: 
 <CABiQX1WEhoOyXngbHmyhqLHK_yfbMv3RKH=g8ms-KLy8ZKs6QA@mail.gmail.com>
 <CAEeF2TdXe8=UCsomQyBMBOpnQ+RbXpi=0WGk79Zn8T+1oi4aOg@mail.gmail.com>
 <CABiQX1U=srqaf65atCq+DcE7MTFD+xkK7PDjH06ZcTcCALMu=g@mail.gmail.com>
 <CAEeF2TfitRUCja2XErjPyzGT7CeQEjVLm=TE=5QnZK9G=N=fLA@mail.gmail.com>
From: Michal Mocny <mmocny@chromium.org>
Date: Tue, 3 Mar 2015 13:12:08 -0500
X-Google-Sender-Auth: pPHbnc2QhroN6-3iiPJoltSB59E
Message-ID: 
 <CAEeF2TexrYHTmQdtFrXczJR7tW5VAJH2rSCO1zJv_ghOyCJDRA@mail.gmail.com>
Subject: Re: Android's new Whitelist Plugins
To: Michal Mocny <mmocny@chromium.org>
Cc: dev <dev@cordova.apache.org>
Content-Type: multipart/alternative; boundary=089e01633fea0e320b05106647bc
X-Virus-Checked: Checked by ClamAV on apache.org

--089e01633fea0e320b05106647bc
Content-Type: text/plain; charset=UTF-8

(Added this note:
https://github.com/apache/cordova-plugins/commit/3ed17046ea7efaeccda4c4ffe82bb351e8b966f1,
let me know if its inacurate).

-Michal

On Tue, Mar 3, 2015 at 1:06 PM, Michal Mocny <mmocny@chromium.org> wrote:

> Ah, the bit about <access> being mostly useful for pre-kitkat was context
> I was missing.  Seems important to note at the start of the section.  I'll
> update the README.
>
> On Tue, Mar 3, 2015 at 1:02 PM, Andrew Grieve <agrieve@chromium.org>
> wrote:
>
>> Like your ideas a lot. Updating the project template makes a lot of sense.
>>
>> Tried to make it clear in the README, so if any part was not clear please
>> fix it. But, the CSP tag is the more important bit, since <access> can't
>> actually block all requests. The only reason to even leave <access> in
>> there is to support pre-kitkat webviews, where no CSP support exists. CSP
>> is also used to set a navigation whitelist for subframes, which the native
>> side is not able to do.
>>
>> On Tue, Mar 3, 2015 at 11:22 AM, Michal Mocny <mmocny@chromium.org>
>> wrote:
>>
>> > My thoughts:
>> >
>> > - The split between <allow-navigation>, <allow-intent>, and <access>:
>> Like
>> > it a lot.
>> > - I think the defaults *for the plugin* are very reasonable.  However,
>> we
>> > may want to provide a default set of tags for the hello world app.  A
>> year
>> > or so ago we added a default access * whitelist and I think maybe we
>> should
>> > continue that.  (on the other hand, I've gotten used to explicitly
>> > whitelisting every url as part of chrome packaged app development and
>> its
>> > not so bad).
>> >   - Additionally, that means this plugin should be installed by default.
>> > As we discussed this morning, with the new plugin --save functionality
>> we
>> > could just add this to the helloworld config.xml, I think!
>> > - Do you really need a CSP meta tag *and* <access> declarations?   Thats
>> > what the README.md implies, but I would assume CSP trumps?
>> >
>> > -Michal
>> >
>> > On Mon, Mar 2, 2015 at 9:38 PM, Andrew Grieve <agrieve@chromium.org>
>> > wrote:
>> >
>> > > I've tried to explain it in the plugin's readme:
>> > >
>> > > https://github.com/apache/cordova-plugins/tree/master/url-policy
>> > >
>> > > Some points for discussion:
>> > > - What should the default behaviour be for the three whitelists (what
>> > > should happen if not whitelist plugin is installed).
>> > >   - right now it can't open external URLs
>> > >   - and can't do XHRs to http(s)
>> > > - Is the plugin name decent ("url-policy"). We should make a dedicated
>> > git
>> > > repo for it (as well as for legacy-whitelist plugin)
>> > >
>> >
>>
>
>

--089e01633fea0e320b05106647bc--