Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 67CBE101CB for ; Tue, 3 Mar 2015 18:07:51 +0000 (UTC) Received: (qmail 44167 invoked by uid 500); 3 Mar 2015 18:07:43 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 44128 invoked by uid 500); 3 Mar 2015 18:07:43 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 44113 invoked by uid 99); 3 Mar 2015 18:07:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 18:07:43 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mmocny@google.com designates 209.85.220.173 as permitted sender) Received: from [209.85.220.173] (HELO mail-vc0-f173.google.com) (209.85.220.173) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 18:07:39 +0000 Received: by mail-vc0-f173.google.com with SMTP id hy10so3766536vcb.4 for ; Tue, 03 Mar 2015 10:06:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=XdQN6V2X6svRV1v+clVp/H4Ya6N7JFDWv3iOku3dra0=; b=JmE20kUswDS3oYc6VQioUbPspnTSuOtLY9XfDiF4Tijv8L/F8r6nuZ3p2rz0dBC6wn weXuVH44Dbj/DkMmB1QnQDlq269uBe3KyO6rlVx5W6I7bpJ+eZCjl1dtaWmi9teIUWYx K/7KJHBPZ8jK1qF+fmxNyeUfcXIMiGE/IvDBf7UIbLSVs3mzghldbMvKyltSS06VZLUH 51jf1X9Oi0IeTkuFJNA++UBfmXvqV2Os7XNd8++P2OsoLPDdCdT+xFVMT8wVLHiYrZMA tcE47sM0I93gRGp9P3O7L85p6LvQuHBOCLaqupyh7IFzpHNVjQ7dOu4QoCv6uiy0fB3U cHWg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=XdQN6V2X6svRV1v+clVp/H4Ya6N7JFDWv3iOku3dra0=; b=BuUohvsOSc1RpY4tSOwoiv2/cmO6nlNNm/fKj8Lr5Lu1eIXJc4JiAw4vrs2ZQwO8c9 WDUstw4pVub4P9jKWWFbZFh2ebRM3dlHsqqw3InsxDnHb0e0X0Y2yBzOS/m3cC77YkFc ao7mAE40kT/YuNoXsrLbbstpDtPF2X5gZQdx4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=XdQN6V2X6svRV1v+clVp/H4Ya6N7JFDWv3iOku3dra0=; b=VZOyqhwCv54pSxGoK+Db44GS5iZyCw+kUB3fjMaUWmvm+ByWJ66XNwdzTshJuMhBJo 4QOJD/n8jdru8FBbTScTWPirJKXNOTPu9v9lG0eOioa6LGFw06yQhuRkeThf1EJi0TQh cG3D/YU1Az97Xwy/e7Q5F6UGMmT0Ns/kOavF7JQTHG+3gRuqaBSmcLLU213Nch+fLQsM xFRxLbPatd6ftLh5izWk/9EVXt1Izd/59Wf9QveS8W0sF47XJKMrMTquGOp9AmILNYv7 xR6QRXg5rawCJFvNqvQ+8RIUeB2+eA29c9vpHzK+xx7yqkHTuxMZ9x9YBNnTc3Cnw3/S Ibeg== X-Gm-Message-State: ALoCoQlMh4apOK80Tvtn8QxD23y2Pb1pgTYhRYHE4icK963CnzOoTEOHjCm7J5vbS4i25HFNbLen X-Received: by 10.52.120.83 with SMTP id la19mr166440vdb.34.1425405993755; Tue, 03 Mar 2015 10:06:33 -0800 (PST) MIME-Version: 1.0 Sender: mmocny@google.com Received: by 10.52.1.229 with HTTP; Tue, 3 Mar 2015 10:06:13 -0800 (PST) In-Reply-To: References: From: Michal Mocny Date: Tue, 3 Mar 2015 13:06:13 -0500 X-Google-Sender-Auth: 0yOa7InSOIKJI-3qoacfnI_HIhQ Message-ID: Subject: Re: Android's new Whitelist Plugins To: dev Content-Type: multipart/alternative; boundary=089e01633feaeb48870510663107 X-Virus-Checked: Checked by ClamAV on apache.org --089e01633feaeb48870510663107 Content-Type: text/plain; charset=UTF-8 Ah, the bit about being mostly useful for pre-kitkat was context I was missing. Seems important to note at the start of the section. I'll update the README. On Tue, Mar 3, 2015 at 1:02 PM, Andrew Grieve wrote: > Like your ideas a lot. Updating the project template makes a lot of sense. > > Tried to make it clear in the README, so if any part was not clear please > fix it. But, the CSP tag is the more important bit, since can't > actually block all requests. The only reason to even leave in > there is to support pre-kitkat webviews, where no CSP support exists. CSP > is also used to set a navigation whitelist for subframes, which the native > side is not able to do. > > On Tue, Mar 3, 2015 at 11:22 AM, Michal Mocny wrote: > > > My thoughts: > > > > - The split between , , and : > Like > > it a lot. > > - I think the defaults *for the plugin* are very reasonable. However, we > > may want to provide a default set of tags for the hello world app. A > year > > or so ago we added a default access * whitelist and I think maybe we > should > > continue that. (on the other hand, I've gotten used to explicitly > > whitelisting every url as part of chrome packaged app development and its > > not so bad). > > - Additionally, that means this plugin should be installed by default. > > As we discussed this morning, with the new plugin --save functionality we > > could just add this to the helloworld config.xml, I think! > > - Do you really need a CSP meta tag *and* declarations? Thats > > what the README.md implies, but I would assume CSP trumps? > > > > -Michal > > > > On Mon, Mar 2, 2015 at 9:38 PM, Andrew Grieve > > wrote: > > > > > I've tried to explain it in the plugin's readme: > > > > > > https://github.com/apache/cordova-plugins/tree/master/url-policy > > > > > > Some points for discussion: > > > - What should the default behaviour be for the three whitelists (what > > > should happen if not whitelist plugin is installed). > > > - right now it can't open external URLs > > > - and can't do XHRs to http(s) > > > - Is the plugin name decent ("url-policy"). We should make a dedicated > > git > > > repo for it (as well as for legacy-whitelist plugin) > > > > > > --089e01633feaeb48870510663107--