Return-Path: X-Original-To: apmail-incubator-callback-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-callback-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 80C96C7E0 for ; Mon, 7 May 2012 20:34:38 +0000 (UTC) Received: (qmail 40730 invoked by uid 500); 7 May 2012 20:34:38 -0000 Delivered-To: apmail-incubator-callback-dev-archive@incubator.apache.org Received: (qmail 40700 invoked by uid 500); 7 May 2012 20:34:38 -0000 Mailing-List: contact callback-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: callback-dev@incubator.apache.org Delivered-To: mailing list callback-dev@incubator.apache.org Received: (qmail 40692 invoked by uid 99); 7 May 2012 20:34:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 May 2012 20:34:38 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of pmuellr@gmail.com designates 209.85.160.47 as permitted sender) Received: from [209.85.160.47] (HELO mail-pb0-f47.google.com) (209.85.160.47) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 May 2012 20:34:33 +0000 Received: by pbbrq2 with SMTP id rq2so5962486pbb.6 for ; Mon, 07 May 2012 13:34:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=2ce+vOdigzjmuHyQtBItOzxqXaWI/4skl7SD5XcEhH0=; b=rkNUfrm1g7Cz//NvQB9/NOxyEex/IdpYGKB6Dvf0AYedmCXYO19s9+FyNIsQjYO6F6 4Cht/X1Z3GqufY549ZeOviVb5mgy52iiDVIJfyqG0fXFxMZDol5ocqT8njI4EsKEIofr gGtBhDOKPvra7ME0tXxSrdX1FtsPGCPrrmkOAu4RplV0nJAl+DMzJbCooaAw/6s0pnV3 wZti4CESIY8p0Yfeh4C+Ps+0Rmrz3r7PJN+UL/Nc9vlZ8bJ0rP60zO+VvJ2gGkGR2uZ/ +b/Ff8TgIqk4AXgA4OahJuWBzionbY9VjpBckqrStu0KlaIRpfVoDJYwXsYwAGGYfNTW kF7Q== MIME-Version: 1.0 Received: by 10.50.219.170 with SMTP id pp10mr9009770igc.25.1336422853406; Mon, 07 May 2012 13:34:13 -0700 (PDT) Received: by 10.231.222.10 with HTTP; Mon, 7 May 2012 13:34:13 -0700 (PDT) In-Reply-To: References: Date: Mon, 7 May 2012 16:34:13 -0400 Message-ID: Subject: Re: Default Enable Plugins From: Patrick Mueller To: callback-dev@incubator.apache.org, justinlong@bigfoot.com Content-Type: multipart/alternative; boundary=14dae93403cf72719704bf783119 X-Virus-Checked: Checked by ClamAV on apache.org --14dae93403cf72719704bf783119 Content-Type: text/plain; charset=ISO-8859-1 On Mon, May 7, 2012 at 3:12 PM, Justin Long wrote: > I'd like to propose that in the Android Cordova project the webview that is > created enables plugins by default. I wanted to check with the community to > see if there were any possible risks, ... > Risks? With browser plugins? Nah, can't imagine that being a problem! I'm being facetious, of course, because "browser plugins" have been a pretty significant attack vector for malware over the years. I'm totally in favor of enabling this, but ... not by default. Worse case, if it can't fit into the existing Android startup configuration somehow, is to enable it with a new plugin. Kinda like I did with the iOS Remote Web Inspector plugin. Unless it's too late to enable it by the time the plugin loads - it might well be. Still, in any case, seems like it would be better to allow the user to opt-in to this, instead of having to opt-out. -- Patrick Mueller http://muellerware.org --14dae93403cf72719704bf783119--