Hello all, Thanks for your answers.
I understand that new features will be only available on master release, with no back port. I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on cordova-android 7.x : https://github.com/fechanique/cordova-plugin-fcm/issues/470 https://github.com/fechanique/cordova-plugin-fcm/issues/535 About the security issue : I found an exemple here: https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/ It's about loadUrl of file:// type url In Cordova plugin whitelist doc, it alwayse accept any type of file://url ... So, it doesn't seems to solve the issue. We've tried to make a plugin to change it, but it doesn't work, seems to be too late in the process. For now, we plan to make a private fork of cordova-android-plugin to add the line « settings.setAllowFileAccess(false);» here : https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 About this idea, more generally, it'd be usefull to configure any WebSettings of the WebView, and not only the allowFileAccess attribute... Maybe, it could be possible by java reflection, using a config file containing attributes names and theirs value ? I will send a new email/thread for this. Thanks again. Stéphane
