'Zactly. On 11/2/12 10:55 AM, "Lorin Beer" <lorin.beer....@gmail.com> wrote:
>I'm not suggesting that it's useless, I think we are talking about '*' >being the default, and adding documentation on securing your app. > > >BriBri Say > >> The more I think about this the more I think the default should be * and >> the functionality should be opt in with strong language in the >> documentation recommending this as a part of securing the app for >>release. > > >yes, this. +1 > >If 99% of people don't care, leave it to the 1% that does develop banking >apps and other software that requires security. > >On Fri, Nov 2, 2012 at 9:36 AM, Anis KADRI <anis.ka...@gmail.com> wrote: > >> Just because you guys don't like/use it doesn't mean it is useless. >>There >> are multiple cases where you want to have an access control list [1] So >> many apps can benefit from this features (I am thinking banking apps, >> etc...). >> >> If you don't care about security or you're developing the next best >>social >> app (that opens links all over the place) then you can * everything. >> However, I am sure that there are people out there that care about >>security >> and want this feature. While not protecting your app from every possible >> attack it certainly doesn't hurt. >> >> I agree that this feature should be documented in the getting started >>guide >> as well. >> >> [1] http://www.w3.org/TR/widgets-access/ >> >> On Fri, Nov 2, 2012 at 2:17 AM, Jesse <purplecabb...@gmail.com> wrote: >> >> > I am with Fil, I never use it, and the first thing I do is * it. >> > >> > I think it also gives developers the impression that they just load >> > arbitrary untrusted content into their apps, and the whitelist will >> > protect them. >> > >> > Untrusted content will always need to be sanitized, however, having >> > the whitelist even prevents use of the InAppBrowser ( formerly >> > ChildBrowser ) plugin for it's main use-case. >> > If I were to make a twitter client with cordova, I would have to * the >> > whitelist so I could load links without exiting, and I would still >> > have to sanitize the data ... >> > >> > What use cases are we enabling by having the whitelist? >> > >> > >> > >> > >> > >> > On Fri, Nov 2, 2012 at 12:27 AM, Brian LeRoux <b...@brian.io> wrote: >> > > I feel its a good feature for a release time but not so during >> > development >> > > time. So what ends up happening is the thing gets *, forgotten >>about, >> and >> > > negates the usefulness. >> > > >> > > I'm in favor of opening it up and using docs to guide how ppl should >> > secure >> > > their app for release/production. >> > > >> > > >> > > On Thu, Nov 1, 2012 at 10:30 PM, Filip Maj <f...@adobe.com> wrote: >> > > >> > >> Personally I think the whitelist is pretty useless... >> > >> >> > >> On 11/1/12 7:32 PM, "Ken Wallis" <kwal...@rim.com> wrote: >> > >> >> > >> >Not sure why the BlackBerry version white lists everything. We >>don't >> do >> > >> >that in WebWorks ;) >> > >> > >> > >> > >> > >> > >> > >> >From: Steven Gill >> > >> >To: dev@cordova.apache.org >> > >> >Reply To: dev@cordova.apache.org >> > >> >Re: Whitelist defaults >> > >> >2012-11-01 10:30:42 PM >> > >> > >> > >> > >> > >> > >> > >> >+1 to point it out in the getting started guides. >> > >> >On Nov 1, 2012 6:35 PM, "Marcel Kinard" wrote: >> > >> > >> > >> >> Also sounds like a good step/topic in the "getting started" >>guides. >> > >> >> >> > >> >> -- Marcel Kinard >> > >> >> >> > >> >> On 11/1/2012 8:36 PM, Dave Johnson wrote: >> > >> >> >> > >> >>> Yup agree it should whitelist nothing but it also needs to be >>very >> > >> >>>clear >> > >> >>> in >> > >> >>> the log when we block a request that it's due to the whitelist. >> > >> >>> >> > >> >>> On Thursday, November 1, 2012, Shazron wrote: >> > >> >>> >> > >> >>> I concur with Kevin. It won't be much of a whitelist if no one >> uses >> > it >> > >> >>>> -- I >> > >> >>>> would argue that if you set it to "*" by default, no dev will >> > >> >>>>(usually) >> > >> >>>> change that, especially if they don't know there is a >>whitelist >> in >> > the >> > >> >>>> first place. >> > >> >>>> >> > >> >>>> >> > >> >>>> On Thu, Nov 1, 2012 at 4:48 PM, Kevin Hawkins < >> > >> >>>> kevin.hawkins.cordova@gmail.**com > wrote: >> > >> >>>> >> > >> >>>> From a security perspective, I'm partial to the iOS (nothing) >> > default, >> > >> >>>>> recognizing of course that there are certain usability >>drawbacks >> > to >> > >> >>>>>that >> > >> >>>>> approach. >> > >> >>>>> >> > >> >>>>> On Thu, Nov 1, 2012 at 4:34 PM, Filip Maj > >> > >> >>>>> >> > >> >>>> wrote: >> > >> >>>> >> > >> >>>>> Quick q: how come Android + BB's whitelists by default >>whitelist >> > >> >>>>>> everything (*), but iOS does the opposite (whitelist >>nothing)? >> > >> >>>>>> >> > >> >>>>>> I'd like to see this unified across all platforms we >>support. >> > >> >>>>>> >> > >> >>>>>> >> > >> >>>>>> >> > >> >> >> > >> > >> > >> >>>--------------------------------------------------------------------- >> > >> >This transmission (including any attachments) may contain >> confidential >> > >> >information, privileged material (including material protected by >>the >> > >> >solicitor-client or other applicable privileges), or constitute >> > >> >non-public information. Any use of this information by anyone >>other >> > than >> > >> >the intended recipient is prohibited. If you have received this >> > >> >transmission in error, please immediately reply to the sender and >> > delete >> > >> >this information from your system. Use, dissemination, >>distribution, >> or >> > >> >reproduction of this transmission by unintended recipients is not >> > >> >authorized and may be unlawful. >> > >> >> > >> >> > >> > >> > >> > -- >> > @purplecabbage >> > risingj.com >> > >>
