We've had the discussion. So what is the decision/consensus? Leave as is, or add "*" to default settings for all, with a warning in the console log?
On Fri, Nov 2, 2012 at 11:33 AM, Joe Bowser <bows...@gmail.com> wrote: > On Fri, Nov 2, 2012 at 10:59 AM, Shazron <shaz...@gmail.com> wrote: > > Echoing Anis here. The easiest use case is for corporate use (internal), > > where any connections are restricted to a certain domain for paranoid IT > > types. > > > > I can see the case of us allowing everything _by default_ though (eg > adding > > the '*'), which really should have been the default so as to be > "backwards > > compatible" with how it was before the whitelist came in. The system > could > > detect this sole wildcard entry, and print out a warning in the console > > log, as well as the documentation of course pointing this out -- the > latter > > which we should have done in the first place. > > OK, that sounds cool, but does that mean that in six months, we're > going to deprecate this behaviour and get more aggressive with the > whitelist? > > BTW: In the event that the whitelist isn't found based on the code > that I'm looking at here, Android should block everything and fire > default web intents. If it's not doing this, that's a bug! When we > refer to defaults, are we referring to the config.xml that we're > circulating? > > Also, how are we testing this whitelisting feature? I can tell you > that doing it in JS alone wouldn't be enough. > > Joe >