On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shaz...@gmail.com> wrote: > Echoing Anis here. The easiest use case is for corporate use (internal), > where any connections are restricted to a certain domain for paranoid IT > types. > > I can see the case of us allowing everything _by default_ though (eg adding > the '*'), which really should have been the default so as to be "backwards > compatible" with how it was before the whitelist came in. The system could > detect this sole wildcard entry, and print out a warning in the console > log, as well as the documentation of course pointing this out -- the latter > which we should have done in the first place.
OK, that sounds cool, but does that mean that in six months, we're going to deprecate this behaviour and get more aggressive with the whitelist? BTW: In the event that the whitelist isn't found based on the code that I'm looking at here, Android should block everything and fire default web intents. If it's not doing this, that's a bug! When we refer to defaults, are we referring to the config.xml that we're circulating? Also, how are we testing this whitelisting feature? I can tell you that doing it in JS alone wouldn't be enough. Joe