from a fictional blog post I should write: "3 ways to bulletproof your network"
if you want to ensure your app only talks to domains you specify then: 1. do not include 3rd party scripts (or if you do make sure you trust them and maybe keep an eye out for document.write!) 2. use ssl for all your http traffic 3. only talk to external services through a proxy you run (and auth) On Wed, Apr 15, 2015 at 1:14 PM, Ian Clelland <iclell...@chromium.org> wrote: > On Wed, Apr 15, 2015 at 1:47 PM, Treggiari, Leo <leo.treggi...@intel.com> > wrote: > > > If anyone has the time to educate me, then please pardon my ignorance. > > > > Then you're suggesting that if I'm writing a cross-platform app, I stick > > with > > the legacy whitelist plugin until all of the platforms I care about > support > > new whitelisting? Or they already do support the new whitelisting? > > > > Most platforms *do not* support the new whitelisting. As of right now, it's > Android 4.0.0, and iOS (4.0.x development branch). > > If you're building a cross-platform app, there are a couple of options, but > they all come down to the fact that you need to use the old syntax for any > platforms other than Android. > > > 1. Install the legacy plugin, and use the same syntax for everything > (easiest) > > 2. Install the new whitelist plugin, and have separate config.xml files for > each platform. This may or may not be feasible, depending on your build > system. You'll probably have to swap the config file out between builds of > different platforms (I can't remember off-hand if there's any syntax in > config.xml to have platform-dependent sections, but that would make this > easier.) > > 3. Install the new whitelist plugin, and use *both* syntaxes in config.xml. > The new plugin uses <access> tags for network requests, but not for > navigation, so you'd have to include <allow-navigation> tags as well, if > you have more than a single-page-app. You can include both kinds of tags, > though, and the platforms will happily just pick out the ones they > understand. > > > > Thanks, > > Leo > > > > -----Original Message----- > > From: Joe Bowser [mailto:bows...@gmail.com] > > Sent: Wednesday, April 15, 2015 10:42 AM > > To: dev@cordova.apache.org > > Subject: Re: Android 4.0 Blog Post > > > > Isn't this why the Legacy Whitelist plugin exists? > > > > On Wed, Apr 15, 2015 at 10:40 AM Treggiari, Leo <leo.treggi...@intel.com > > > > wrote: > > > > > I have a question. With the new whitelist support in Android, does > that > > > mean if I'm writing a cross-platform app, do I need to deal with > > > whitelisting differently in Android and other platforms (at least until > > the > > > other platforms 'catch up')? If not, thanks. If so, what would be the > > > best way to handle the differences - perhaps using the merges > > functionality? > > > > > > Thanks, > > > Leo > > > > > > -----Original Message----- > > > From: agri...@google.com [mailto:agri...@google.com] On Behalf Of > Andrew > > > Grieve > > > Sent: Wednesday, April 15, 2015 10:18 AM > > > To: dev > > > Subject: Android 4.0 Blog Post > > > > > > The 4.0 release is posted to npm, and I've updated the blog post to > work > > > without the need for a tools release: > > > > > > I'd like to publish the blog post without waiting for a CLI release: > > > - I've updated the post to use plugins-from-git so it works without new > > CLI > > > - I've mentioned those can just wait for tools if they like > > > - This should give us some early adopter feedback in case there's a > need > > > for a 4.0.1 > > > > > > > > > > > > https://github.com/cordova/apache-blog-posts/blob/master/2015-04-10-cordova-android-4.0.0.md > > > > > > Any objections? > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > > >
