breautek commented on code in PR #1609: URL: https://github.com/apache/cordova-android/pull/1609#discussion_r1179471330
########## templates/project/res/xml/opener_paths.xml: ########## @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- https://developer.android.com/reference/android/support/v4/content/FileProvider.html#SpecifyFiles --> +<paths xmlns:android="http://schemas.android.com/apk/res/android";> Review Comment: > I guess one option would be for cordova-android to provide a default (mostly empty) implementation of this file, and then we update the cordova-plugin-file to use edit-config to add the rest of the paths at install time. As much as having cordova-plugin-file actually handle this kind of stuff, and it using `<edit-config>` to change the config where necessary might be the "correct" approach... `edit-config` directive is incredibly broken... in the sense that it's overly sensitive to detecting conflicts. So if two things are editing the same node, there's a high chance they won't work or be compatible together, even if they aren't touching or editing the same attribute. As for security risks... I'm not sure, I'm not entirely proficient in this area of Android either. So I'll need to do some reading. I do believe setting up a `FileProvider` does open the door to sharing files to third-party applications, which might be undesirable for some applications, especially if it's allowing `dataDirectory` files to be shared (which is normally a private storage container). But I'm not stating this with any kind of certainty... I think to **actually** share/expose a file to another app, the application must use [Context.grantUriPermission](https://developer.android.com/reference/android/content/Context.html#grantUriPermission(java.lang.String,%20android.net.Uri,%20int)) on the `content://` url. So just by having a FileProvider available might not be enough to share files, I think this needs to be confirmed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
