Please don't go back to when every new dev had to struggle with the Google group or irc to find out why their ajax requests didn't work.
There was a huuuuge discussion at the time that we chose to default to * On 04/12/2013 6:03 am, "Michal Mocny" <[email protected]> wrote: > On Tue, Dec 3, 2013 at 1:30 PM, Braden Shepherdson <[email protected] > >wrote: > > > There are two different files here: one is defaults.xml, which the CLI > > takes as the basis for its platform config.xml. The other is the > config.xml > > that you get after running bin/create. In the CLI world, that second file > > is immediately overwritten by one created from defaults.xml, the > top-level > > app config.xml, etc. > > > > Okay, thats what I thought we were doing, but I cannot find where/how the > defaults.xml is created in the first place. I see now that it does exist > in my CLI projects, but seems not to exist inside our platforms nor CLI, > nor can I find the code that generates it. > > > > > > I support the second point of removing the <access origin="*" /> from the > > CLI's hello world template app; it should be turned into a comment. > > > > Seems this is redundant anyway given that the platforms provide this as a > default. Regarding leaving it in as a comment: should we embed the full > spec as a comment? If not, I would just leave a general description and > link to the spec docs online. > > > > I don't think we should be including <access origin="*" /> by default > > anywhere, unless we really do want to disable the whitelist on that > > platform. And if we do want to disable it, why not in the native code > > instead of allowing everything by default? > > > > I remember about a year ago we had a bunch of talks regarding the default > whitelist, and decided that almost every developer doesn't want to use a > whitelist and wants every request to be allowed by default. For those few > devs that want this (false?) sense of security they can learn how to > opt-in, instead of having the same question on the user lists over and over > about how to opt-out. > > Changing the platforms to allow * by default is an interesting idea, but I > would rather see a solution that doesn't need that change. Plus its a bit > less semantic/declarative aka more magical/surprising. > > > > > > Braden > > > > > > On Tue, Dec 3, 2013 at 8:04 AM, Michal Mocny <[email protected]> wrote: > > > > > On ios, the default config.xml file (aka the platform defaults) is > > bundled > > > as part of the ios project template, and the project template is easy > to > > > override using flags to create script / CLI config options. Easy, > great. > > > > > > For android, the default config.xml file is bundled with the platform > > > framework itself and not as part of the project template. I assume > this > > is > > > not easy to fix, otherwise we would have made the change already? > > > > > > Since the <access> tag is additive (i.e. cannot just override it by > > > appending), there is no way to remove that default without reaching in > > and > > > editing cordova-android/framework/res/xml/config.xml file directly > > (either > > > with a custom post-platform-add hook to run sed, or by forking > > > cordova-android to change the default, both shitty options imho). > > > > > > Any suggestions on how to fix this? > > > > > > I was hoping to propose that we move the tag out of all the platform > > > templates and instead add it to the hello-world app template -- but I > > think > > > that won't work well with the platform-scripts workflow since that flow > > > doesn't use an application level config.xml at all right now. > > > > > > > > > Second, related issue: cordova-cli bundles a default application > > config.xml > > > file, which also includes <access origin="*"/>. I think this is just > > > unnecessary and should be removed. > > > > > > > > > -Michal > > > > > > p.s. as an aside, I thought we were moving the default platform > > config.xml > > > out into a file called "defaults.xml"? It seems only the good folks at > > > blackberry have done that so far.. > > > > > >
