I'm not suggesting that it's useless, I think we are talking about '*' being the default, and adding documentation on securing your app.
BriBri Say > The more I think about this the more I think the default should be * and > the functionality should be opt in with strong language in the > documentation recommending this as a part of securing the app for release. yes, this. +1 If 99% of people don't care, leave it to the 1% that does develop banking apps and other software that requires security. On Fri, Nov 2, 2012 at 9:36 AM, Anis KADRI <anis.ka...@gmail.com> wrote: > Just because you guys don't like/use it doesn't mean it is useless. There > are multiple cases where you want to have an access control list [1] So > many apps can benefit from this features (I am thinking banking apps, > etc...). > > If you don't care about security or you're developing the next best social > app (that opens links all over the place) then you can * everything. > However, I am sure that there are people out there that care about security > and want this feature. While not protecting your app from every possible > attack it certainly doesn't hurt. > > I agree that this feature should be documented in the getting started guide > as well. > > [1] http://www.w3.org/TR/widgets-access/ > > On Fri, Nov 2, 2012 at 2:17 AM, Jesse <purplecabb...@gmail.com> wrote: > > > I am with Fil, I never use it, and the first thing I do is * it. > > > > I think it also gives developers the impression that they just load > > arbitrary untrusted content into their apps, and the whitelist will > > protect them. > > > > Untrusted content will always need to be sanitized, however, having > > the whitelist even prevents use of the InAppBrowser ( formerly > > ChildBrowser ) plugin for it's main use-case. > > If I were to make a twitter client with cordova, I would have to * the > > whitelist so I could load links without exiting, and I would still > > have to sanitize the data ... > > > > What use cases are we enabling by having the whitelist? > > > > > > > > > > > > On Fri, Nov 2, 2012 at 12:27 AM, Brian LeRoux <b...@brian.io> wrote: > > > I feel its a good feature for a release time but not so during > > development > > > time. So what ends up happening is the thing gets *, forgotten about, > and > > > negates the usefulness. > > > > > > I'm in favor of opening it up and using docs to guide how ppl should > > secure > > > their app for release/production. > > > > > > > > > On Thu, Nov 1, 2012 at 10:30 PM, Filip Maj <f...@adobe.com> wrote: > > > > > >> Personally I think the whitelist is pretty useless... > > >> > > >> On 11/1/12 7:32 PM, "Ken Wallis" <kwal...@rim.com> wrote: > > >> > > >> >Not sure why the BlackBerry version white lists everything. We don't > do > > >> >that in WebWorks ;) > > >> > > > >> > > > >> > > > >> >From: Steven Gill > > >> >To: dev@cordova.apache.org > > >> >Reply To: dev@cordova.apache.org > > >> >Re: Whitelist defaults > > >> >2012-11-01 10:30:42 PM > > >> > > > >> > > > >> > > > >> >+1 to point it out in the getting started guides. > > >> >On Nov 1, 2012 6:35 PM, "Marcel Kinard" wrote: > > >> > > > >> >> Also sounds like a good step/topic in the "getting started" guides. > > >> >> > > >> >> -- Marcel Kinard > > >> >> > > >> >> On 11/1/2012 8:36 PM, Dave Johnson wrote: > > >> >> > > >> >>> Yup agree it should whitelist nothing but it also needs to be very > > >> >>>clear > > >> >>> in > > >> >>> the log when we block a request that it's due to the whitelist. > > >> >>> > > >> >>> On Thursday, November 1, 2012, Shazron wrote: > > >> >>> > > >> >>> I concur with Kevin. It won't be much of a whitelist if no one > uses > > it > > >> >>>> -- I > > >> >>>> would argue that if you set it to "*" by default, no dev will > > >> >>>>(usually) > > >> >>>> change that, especially if they don't know there is a whitelist > in > > the > > >> >>>> first place. > > >> >>>> > > >> >>>> > > >> >>>> On Thu, Nov 1, 2012 at 4:48 PM, Kevin Hawkins < > > >> >>>> kevin.hawkins.cordova@gmail.**com > wrote: > > >> >>>> > > >> >>>> From a security perspective, I'm partial to the iOS (nothing) > > default, > > >> >>>>> recognizing of course that there are certain usability drawbacks > > to > > >> >>>>>that > > >> >>>>> approach. > > >> >>>>> > > >> >>>>> On Thu, Nov 1, 2012 at 4:34 PM, Filip Maj > > > >> >>>>> > > >> >>>> wrote: > > >> >>>> > > >> >>>>> Quick q: how come Android + BB's whitelists by default whitelist > > >> >>>>>> everything (*), but iOS does the opposite (whitelist nothing)? > > >> >>>>>> > > >> >>>>>> I'd like to see this unified across all platforms we support. > > >> >>>>>> > > >> >>>>>> > > >> >>>>>> > > >> >> > > >> > > > >> >--------------------------------------------------------------------- > > >> >This transmission (including any attachments) may contain > confidential > > >> >information, privileged material (including material protected by the > > >> >solicitor-client or other applicable privileges), or constitute > > >> >non-public information. Any use of this information by anyone other > > than > > >> >the intended recipient is prohibited. If you have received this > > >> >transmission in error, please immediately reply to the sender and > > delete > > >> >this information from your system. Use, dissemination, distribution, > or > > >> >reproduction of this transmission by unintended recipients is not > > >> >authorized and may be unlawful. > > >> > > >> > > > > > > > > -- > > @purplecabbage > > risingj.com > > >
