cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Shakhnazarov (Akvelon)" <v-ses...@microsoft.com>
Subject Android cdvfile: whitelisting
Date Mon, 30 May 2016 13:58:44 GMT
Hello dev list,



I would like to discuss cdvfile: protocol whitelisting - whether it should be allowed by default.

Looking into the issue CB-11305 [1] I've patched the file plugin Android code to enable cdvfile:
in DOM requests and added a corresponding test.

The test was failing in paramedic on Android because the default template does not allow cdvfile:
access, so we need to add it to config.xml as an allow-navigation tag (or as an access tag
+ CSP rule).



Mobilespec test app used custom config.xml [2].



There is also an old PR to the whitelist plugin allowing cdvfile: and content: schemes [3].



An alternative can be to include the allow-navigation tag to Android section of the File plugin.xml
[4] (it's the way the PR for CB-11305 is done now).



So what do you think about these 2 options?

1.      Allow cdvfile: in Android whitelist by default,

2.      Allow cdvfile: in Android section of File plugin.xml by default using allow-navigation
tag.



[1]: https://issues.apache.org/jira/browse/CB-11305

[2]: https://github.com/apache/cordova-mobile-spec/blob/ff9f2fa3acce67ccdb211d46ebb3a6d4213a7c5d/config.xml#L48

[3]: https://github.com/apache/cordova-plugin-whitelist/pull/9

[4]: https://github.com/apache/cordova-plugin-file/pull/182/commits/287158fc844e3825ff43080ef19f94f3e585ba00#diff-53f390d375398624afe1cfe1125f42bfR126



Best regards,

Sergey Shakhnazarov.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message