Hello dev list,
I would like to discuss cdvfile: protocol whitelisting - whether it should be allowed by default. Looking into the issue CB-11305 [1] I've patched the file plugin Android code to enable cdvfile: in DOM requests and added a corresponding test. The test was failing in paramedic on Android because the default template does not allow cdvfile: access, so we need to add it to config.xml as an allow-navigation tag (or as an access tag + CSP rule). Mobilespec test app used custom config.xml [2]. There is also an old PR to the whitelist plugin allowing cdvfile: and content: schemes [3]. An alternative can be to include the allow-navigation tag to Android section of the File plugin.xml [4] (it's the way the PR for CB-11305 is done now). So what do you think about these 2 options? 1. Allow cdvfile: in Android whitelist by default, 2. Allow cdvfile: in Android section of File plugin.xml by default using allow-navigation tag. [1]: https://issues.apache.org/jira/browse/CB-11305 [2]: https://github.com/apache/cordova-mobile-spec/blob/ff9f2fa3acce67ccdb211d46ebb3a6d4213a7c5d/config.xml#L48 [3]: https://github.com/apache/cordova-plugin-whitelist/pull/9 [4]: https://github.com/apache/cordova-plugin-file/pull/182/commits/287158fc844e3825ff43080ef19f94f3e585ba00#diff-53f390d375398624afe1cfe1125f42bfR126 Best regards, Sergey Shakhnazarov.
