Thanks all for the information and suggestions on whitelisting. Very helpful!
Leo -----Original Message----- From: agri...@google.com [mailto:agri...@google.com] On Behalf Of Andrew Grieve Sent: Wednesday, April 15, 2015 11:51 AM To: dev Subject: Re: Android 4.0 Blog Post You can customize the tags per-platform via <platform name="android>...</platform>. Although, the new tags will be ignored by other platforms anyways, and <access> remains the way to whitelist network URLs. So, in practice I think things should mostly just work out. On Wed, Apr 15, 2015 at 2:43 PM, Brian LeRoux <b...@brian.io> wrote: > from a fictional blog post I should write: "3 ways to bulletproof your > network" > > if you want to ensure your app only talks to domains you specify then: > > 1. do not include 3rd party scripts (or if you do make sure you trust them > and maybe keep an eye out for document.write!) > 2. use ssl for all your http traffic > 3. only talk to external services through a proxy you run (and auth) > > > > On Wed, Apr 15, 2015 at 1:14 PM, Ian Clelland <iclell...@chromium.org> > wrote: > > > On Wed, Apr 15, 2015 at 1:47 PM, Treggiari, Leo <leo.treggi...@intel.com > > > > wrote: > > > > > If anyone has the time to educate me, then please pardon my ignorance. > > > > > > Then you're suggesting that if I'm writing a cross-platform app, I > stick > > > with > > > the legacy whitelist plugin until all of the platforms I care about > > support > > > new whitelisting? Or they already do support the new whitelisting? > > > > > > > Most platforms *do not* support the new whitelisting. As of right now, > it's > > Android 4.0.0, and iOS (4.0.x development branch). > > > > If you're building a cross-platform app, there are a couple of options, > but > > they all come down to the fact that you need to use the old syntax for > any > > platforms other than Android. > > > > > > 1. Install the legacy plugin, and use the same syntax for everything > > (easiest) > > > > 2. Install the new whitelist plugin, and have separate config.xml files > for > > each platform. This may or may not be feasible, depending on your build > > system. You'll probably have to swap the config file out between builds > of > > different platforms (I can't remember off-hand if there's any syntax in > > config.xml to have platform-dependent sections, but that would make this > > easier.) > > > > 3. Install the new whitelist plugin, and use *both* syntaxes in > config.xml. > > The new plugin uses <access> tags for network requests, but not for > > navigation, so you'd have to include <allow-navigation> tags as well, if > > you have more than a single-page-app. You can include both kinds of tags, > > though, and the platforms will happily just pick out the ones they > > understand. > > > > > > > Thanks, > > > Leo > > > > > > -----Original Message----- > > > From: Joe Bowser [mailto:bows...@gmail.com] > > > Sent: Wednesday, April 15, 2015 10:42 AM > > > To: dev@cordova.apache.org > > > Subject: Re: Android 4.0 Blog Post > > > > > > Isn't this why the Legacy Whitelist plugin exists? > > > > > > On Wed, Apr 15, 2015 at 10:40 AM Treggiari, Leo < > leo.treggi...@intel.com > > > > > > wrote: > > > > > > > I have a question. With the new whitelist support in Android, does > > that > > > > mean if I'm writing a cross-platform app, do I need to deal with > > > > whitelisting differently in Android and other platforms (at least > until > > > the > > > > other platforms 'catch up')? If not, thanks. If so, what would be > the > > > > best way to handle the differences - perhaps using the merges > > > functionality? > > > > > > > > Thanks, > > > > Leo > > > > > > > > -----Original Message----- > > > > From: agri...@google.com [mailto:agri...@google.com] On Behalf Of > > Andrew > > > > Grieve > > > > Sent: Wednesday, April 15, 2015 10:18 AM > > > > To: dev > > > > Subject: Android 4.0 Blog Post > > > > > > > > The 4.0 release is posted to npm, and I've updated the blog post to > > work > > > > without the need for a tools release: > > > > > > > > I'd like to publish the blog post without waiting for a CLI release: > > > > - I've updated the post to use plugins-from-git so it works without > new > > > CLI > > > > - I've mentioned those can just wait for tools if they like > > > > - This should give us some early adopter feedback in case there's a > > need > > > > for a 4.0.1 > > > > > > > > > > > > > > > > > > https://github.com/cordova/apache-blog-posts/blob/master/2015-04-10-cordova-android-4.0.0.md > > > > > > > > Any objections? > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > > > > > > >