What about url schemes? I suppose they won't work unless we allow them using the CSP, but, do we have code to handle them?
I've been looking on the source code and *CDVUIWebViewNavigationDelegate.m, *on *shouldStartLoadWithRequest* ask *CDVViewController.m* for* shouldOpenExternalURL *that queries all the plugins for *shouldOpenExternalURL* method and uses *[[UIApplication sharedApplication] openURL:url];* to open the app. Anyway, the old legacy whitelist return *YES* only for *tel *scheme*, *and the new whitelist doesn't include that method, so I don't think removing the plugin will break anything, but is it already broken? or we should use the inAppBrowser plugins with _system to open other apps instead of the whitelist? 2015-11-10 3:18 GMT+01:00 Shazron <shaz...@gmail.com>: > Filed https://issues.apache.org/jira/browse/CB-9972 > > On Mon, Nov 9, 2015 at 5:18 PM, Carlos Santana <csantan...@gmail.com> > wrote: > > Shaz, > > Got some feedback but so far nothing extreme to block your proposal. > > > > The only concerned was my comments around iOS8 and lower and it looks > like CSP is the level of security it will get and that's fine. > > > > +1 to move forward > > > > - Carlos > > @csantanapr > > > >> On Nov 9, 2015, at 8:13 PM, Shazron <shaz...@gmail.com> wrote: > >> > >> Any updates on your end Carlos? Anyone else have any concerns? I'm > >> preparing a PR for review soon. > >> > >>> On Wed, Nov 4, 2015 at 2:42 PM, Carlos Santana <csantan...@gmail.com> > wrote: > >>> currently evaluating with some other folks at work, will provide > feedback > >>> soon. > >>> > >>> On Tue, Nov 3, 2015 at 11:07 PM Tommy-Carlos Williams < > to...@devgeeks.org> > >>> wrote: > >>> > >>>> +1 to letting the OS handle it. > >>>> > >>>>> On 4 Nov 2015, at 12:44, Jesse <purplecabb...@gmail.com> wrote: > >>>>> > >>>>> I completely support the proposal! > >>>>> > >>>>> > >>>>> @purplecabbage > >>>>> risingj.com > >>>>> > >>>>>> On Tue, Nov 3, 2015 at 5:35 PM, Shazron <shaz...@gmail.com> wrote: > >>>>>> > >>>>>> BUMP. This is important, and is causing a lot of pain for our users. > >>>>>> For example: > >>>>>> > >>>> > https://github.com/jessemonroy650/top-phonegap-mistakes/blob/master/the-whitelist-system.md > >>>>>> > >>>>>> > >>>>>>> On Mon, Nov 2, 2015 at 5:38 PM, Shazron <shaz...@gmail.com> wrote: > >>>>>>> To view contents of the PR easily: > >>>>>> > >>>> > https://github.com/shazron/cordova-discuss/blob/da7af6606848a1b7d96f4d5ee5402360bf5fd53c/proposals/ios-whitelist-removal.md > >>>>>>> > >>>>>>>> On Mon, Nov 2, 2015 at 5:36 PM, Shazron <shaz...@gmail.com> > wrote: > >>>>>>>> PR sent: https://github.com/cordova/cordova-discuss/pull/27 > >>>>>>>> > >>>>>>>>> On Mon, Nov 2, 2015 at 5:21 PM, Shazron <shaz...@gmail.com> > wrote: > >>>>>>>>> Sorry everyone -- I'm structuring it as a PR and will revert my > >>>>>>>>> commits. Will be easier to comment that way > >>>>>>>>> > >>>>>>>>>> On Mon, Nov 2, 2015 at 5:05 PM, Shazron <shaz...@gmail.com> > wrote: > >>>>>> > >>>> > https://github.com/cordova/cordova-discuss/blob/master/proposals/ios-whitelist-removal.md > >>>>>>>>>> > >>>>>>>>>> Comment here or there, etc. I've included flowcharts... > >>>>>>>>>> > >>>>>>>>>> tldr; remove the whitelist in cordova-ios-4.x. we are not good > at > >>>>>>>>>> security, let the OS handle it. > >>>>>> > >>>>>> > --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >>>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > >>>>>> > >>>>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >>>> For additional commands, e-mail: dev-h...@cordova.apache.org > >>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > >> For additional commands, e-mail: dev-h...@cordova.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
