I'm not certain that this makes sense, but anyway... If a user is using CSP can we tell them to specify a single '*' entry for the network request whitelist (a.k.a. <access> tags)? If they are not using CSP, in spite of our recommendation, do the <access> tags provide an alternative, though inferior solution?
And, is this different for the Android platform which already supports the new whitelist plugin? Thanks, Leo -----Original Message----- From: Shazron [mailto:shaz...@gmail.com] Sent: Monday, July 20, 2015 3:24 PM To: dev@cordova.apache.org Subject: [iOS] proposed major whitelist change https://github.com/apache/cordova-plugin-whitelist Previously, the initial implementation for the plugin for iOS didn't support the <access> tag, but that proved problematic since not supporting it meant all *native* code network connections were effectively blacklisted. I added the support back in, but this will end up confusing the user even more. Right now we are recommending that the user support CSP, but that only works in the context of the WebView (whether UIWebView or WKWebView) - ie xhr, images, etc. If the user specified a CSP src for access to a domain in their .html, but did not specify an <access> tag for that domain, the connection will fail (since the native code whitelist filters all network connections). So this in effect doubles the number of declarations needed -- a CSP policy needs to have its mirror in the <access> tag. You can see where this can get confusing. We could have a dynamic CSP parser in native code to dynamically "generate" access tags but that will add on more complexity (but this would be best workaround). I propose that we get rid of the native code whitelist (effectively allowing all connections) and rely on CSP only. I'm not sure that having a native code whitelist can really be truly secure, with the dynamic nature of Objective-C this is just a façade anyway. In any case, native code whitelisting will only work on UIWebView, there is no way our current whitelisting system will work on WKWebView at all -- more fodder for us to abandon our whitelisting system. The whitelisting should really be handled lower level by the system, and indeed this is coming in iOS 9 with Application Transport Security (ATS): https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html#//apple_ref/doc/uid/TP40016240 The ATS whitelisting is through new tags in Info.plist, and we will have to map our existing whitelist tags to ATS when the time comes.
