[New Feature] Change WebSettings of the WebView by config file

2018-12-06 Thread MALEYRIE Stephane (AIM Services)
Hello,

After a few questions about changing an attribute of the WebSettings of the 
WebView (setAllowFileAccess) here : 
https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E
And : 
https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E
(sorry for bad reply of my second mail who lost historic)

I'd like to ask if it is possible to develop a new feature, to allow changing 
WebSettings of the WebView by config file.

Currently, the only way is to hard code settings config here : 
https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152

It would be usefull il we can configure any settings of WebSettings class : 
https://developer.android.com/reference/android/webkit/WebSettings
Maybe with a dedicated config file, or plugged in the config.xml ?

I have never worked on gradle project or Android Studio project, so i'm 
limitted. I'm using cordova-android on an ionic3 application
Anybody in the community could help ? And What do you think about the idea ?

Thanks to all.

Stéphane


Re: [New Feature] Change WebSettings of the WebView by config file

2018-12-06 Thread Jan Piotrowski
What other use cases besides `setAllowFileAccess` do you see here?

-J

Am Do., 6. Dez. 2018 um 14:36 Uhr schrieb MALEYRIE Stephane (AIM
Services) :
>
> Hello,
>
> After a few questions about changing an attribute of the WebSettings of the 
> WebView (setAllowFileAccess) here : 
> https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E
> And : 
> https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E
> (sorry for bad reply of my second mail who lost historic)
>
> I'd like to ask if it is possible to develop a new feature, to allow changing 
> WebSettings of the WebView by config file.
>
> Currently, the only way is to hard code settings config here : 
> https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152
>
> It would be usefull il we can configure any settings of WebSettings class : 
> https://developer.android.com/reference/android/webkit/WebSettings
> Maybe with a dedicated config file, or plugged in the config.xml ?
>
> I have never worked on gradle project or Android Studio project, so i'm 
> limitted. I'm using cordova-android on an ionic3 application
> Anybody in the community could help ? And What do you think about the idea ?
>
> Thanks to all.
>
> Stéphane

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org



Re: [New Feature] Change WebSettings of the WebView by config file

2018-12-06 Thread Chris Brody
> After a few questions about changing an attribute of the WebSettings of the 
> WebView (setAllowFileAccess) here : 
> https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E
> And : 
> https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E
> (sorry for bad reply of my second mail who lost historic)

I read through the other threads. The two problems right now are that
cordova-plugin-fcm does not work with cordova-android@7 and you need
to do settings.setAllowFileAccess(false).

I think you are right to maintain a private fork of cordova-android@6
for now. I recommend that you guys watch the issues and updates on our
cordova-android project for anything important. There were npm
security audit issues on some old dependencies, which we fixed in
cordova-android@7.

> I'd like to ask if it is possible to develop a new feature, to allow changing 
> WebSettings of the WebView by config file.

That should be possible. I am personally not so familiar with the
configuration part, would need some time to figure out how we could do
this. I would favor a process of identifying the use cases before
going deeper, as Jan asked.

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org



Re: [New Feature] Change WebSettings of the WebView by config file

2018-12-06 Thread Jan Piotrowski
> I read through the other threads. [...]

Please reply to questions from other threads in these threads instead
of interlinking two discussions that are about related, but different
things. Thanks.



-J


Am Do., 6. Dez. 2018 um 16:16 Uhr schrieb Chris Brody :
>
> > After a few questions about changing an attribute of the WebSettings of the 
> > WebView (setAllowFileAccess) here : 
> > https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E
> > And : 
> > https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E
> > (sorry for bad reply of my second mail who lost historic)
>
> I read through the other threads. The two problems right now are that
> cordova-plugin-fcm does not work with cordova-android@7 and you need
> to do settings.setAllowFileAccess(false).
>
> I think you are right to maintain a private fork of cordova-android@6
> for now. I recommend that you guys watch the issues and updates on our
> cordova-android project for anything important. There were npm
> security audit issues on some old dependencies, which we fixed in
> cordova-android@7.
>
> > I'd like to ask if it is possible to develop a new feature, to allow 
> > changing WebSettings of the WebView by config file.
>
> That should be possible. I am personally not so familiar with the
> configuration part, would need some time to figure out how we could do
> this. I would favor a process of identifying the use cases before
> going deeper, as Jan asked.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org



Re: [New Feature] Change WebSettings of the WebView by config file

2018-12-06 Thread julio cesar sanchez
I think this should be possible with preference tags in the config.xml, we
should be able to read them and set those values to true or false, being
the default the current one so it's not a breaking change.

El jue., 6 dic. 2018 a las 16:45, Jan Piotrowski ()
escribió:

> > I read through the other threads. [...]
>
> Please reply to questions from other threads in these threads instead
> of interlinking two discussions that are about related, but different
> things. Thanks.
>
>
>
> -J
>
>
> Am Do., 6. Dez. 2018 um 16:16 Uhr schrieb Chris Brody <
> chris.br...@gmail.com>:
> >
> > > After a few questions about changing an attribute of the WebSettings
> of the WebView (setAllowFileAccess) here :
> https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E
> > > And :
> https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E
> > > (sorry for bad reply of my second mail who lost historic)
> >
> > I read through the other threads. The two problems right now are that
> > cordova-plugin-fcm does not work with cordova-android@7 and you need
> > to do settings.setAllowFileAccess(false).
> >
> > I think you are right to maintain a private fork of cordova-android@6
> > for now. I recommend that you guys watch the issues and updates on our
> > cordova-android project for anything important. There were npm
> > security audit issues on some old dependencies, which we fixed in
> > cordova-android@7.
> >
> > > I'd like to ask if it is possible to develop a new feature, to allow
> changing WebSettings of the WebView by config file.
> >
> > That should be possible. I am personally not so familiar with the
> > configuration part, would need some time to figure out how we could do
> > this. I would favor a process of identifying the use cases before
> > going deeper, as Jan asked.
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> > For additional commands, e-mail: dev-h...@cordova.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org
>
>


Re: How to disable in Android Webview, the WebSettings attributes "AllowFileAccess" in cordova-android ?

2018-12-06 Thread Darryl Pogue
On the one hand, I can see why this would get flagged by a security
audit, because it opens the risk of 3rd party sites/scripts having
uncontrolled access to the filesystem.
On the other hand, changing this preference will break the most common
Cordova use case, where files are served from the app bundle instead
of from a remote URL.

We could add a preference for this, but it would need a bunch of
documentation to explain that it only affects Android, and to explain
clearly what it does and when you might need to enable it. A lot of
apps would break if people just turned it on as "good security
practice" without understanding the implications.

On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services)
 wrote:
>
> Hello all,
>
> Thanks for your answers.
>
> I understand that new features will be only available on master release, with 
> no back port.
> I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on 
> cordova-android 7.x :
> https://github.com/fechanique/cordova-plugin-fcm/issues/470
> https://github.com/fechanique/cordova-plugin-fcm/issues/535
>
> About the security issue :
> I found an exemple here: 
> https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/
> It's about loadUrl of file:// type url
> In Cordova plugin whitelist doc, it alwayse accept any type of file://url ...
> So, it doesn't seems to solve the issue.
>
> We've tried to make a plugin to change it, but it doesn't work, seems to be 
> too late in the process.
> For now, we plan to make a private fork of cordova-android-plugin to add the 
> line «  settings.setAllowFileAccess(false);» here : 
> https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152
>
> About this idea, more generally, it'd be usefull to configure any WebSettings 
> of the WebView, and not only the allowFileAccess attribute...
> Maybe, it could be possible by java reflection, using a config file 
> containing attributes names and theirs value ?
> I will send a new email/thread for this.
>
> Thanks again.
>
> Stéphane
>

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org



Re: How to disable in Android Webview, the WebSettings attributes "AllowFileAccess" in cordova-android ?

2018-12-06 Thread julio cesar sanchez
supposedly the files served from assets folder will still work (but didn't
try)

El jue., 6 dic. 2018 a las 16:55, Darryl Pogue ()
escribió:

> On the one hand, I can see why this would get flagged by a security
> audit, because it opens the risk of 3rd party sites/scripts having
> uncontrolled access to the filesystem.
> On the other hand, changing this preference will break the most common
> Cordova use case, where files are served from the app bundle instead
> of from a remote URL.
>
> We could add a preference for this, but it would need a bunch of
> documentation to explain that it only affects Android, and to explain
> clearly what it does and when you might need to enable it. A lot of
> apps would break if people just turned it on as "good security
> practice" without understanding the implications.
>
> On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services)
>  wrote:
> >
> > Hello all,
> >
> > Thanks for your answers.
> >
> > I understand that new features will be only available on master release,
> with no back port.
> > I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on
> cordova-android 7.x :
> > https://github.com/fechanique/cordova-plugin-fcm/issues/470
> > https://github.com/fechanique/cordova-plugin-fcm/issues/535
> >
> > About the security issue :
> > I found an exemple here:
> https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/
> > It's about loadUrl of file:// type url
> > In Cordova plugin whitelist doc, it alwayse accept any type of
> file://url ...
> > So, it doesn't seems to solve the issue.
> >
> > We've tried to make a plugin to change it, but it doesn't work, seems to
> be too late in the process.
> > For now, we plan to make a private fork of cordova-android-plugin to add
> the line «  settings.setAllowFileAccess(false);» here :
> https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152
> >
> > About this idea, more generally, it'd be usefull to configure any
> WebSettings of the WebView, and not only the allowFileAccess attribute...
> > Maybe, it could be possible by java reflection, using a config file
> containing attributes names and theirs value ?
> > I will send a new email/thread for this.
> >
> > Thanks again.
> >
> > Stéphane
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org
>
>


Nomination for a new chair for Apache Cordova

2018-12-06 Thread Shazron
Hello beloved Community!
I have been the chair of Apache Cordova since around April 2014 (~4.5 years).

The duties are mostly administrative: board reports, PMC management
etc. Some of it is listed here in the README:
https://github.com/apache/cordova-apache-board-reports

I think it is time for new leadership. I have decided to resign my
duties as the Apache Cordova chair, hopefully for the upcoming new
year of 2019.

I nominate Jesse MacFadyen as the next chair. Jesse has been with me
at the start when Cordova was PhoneGap. Although we didn't give birth
to it, we helped work on improving Cordova from being an infant to
adulthood (together with our great team), particularly on cordova-ios.
10 years is adulthood in software!

He has also contributed greatly to the other platforms and tooling,
particularly cordova-windows. He has the most experience with helping
run the Cordova project out of the remaining active contributors.

As an Apache Member (https://www.apache.org/foundation/members.html)
he also understands and helps uphold 'The Apache Way'
(https://www.apache.org/foundation/how-it-works.html) and will be a
great liaison with the Board.

I'm not going anywhere and I will still contribute to the project in
my areas of expertise.

Thank you.

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org



Nightly build #933 for cordova has failed

2018-12-06 Thread Apache Jenkins Server
Nightly build #933 for cordova has failed.

Please check failure details on build details page at 
https://builds.apache.org/job/cordova-nightly/933/
You can also take a look at build console: 
https://builds.apache.org/job/cordova-nightly/933/consoleFull

-
Jenkins for Apache Cordova

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

Re: Nomination for a new chair for Apache Cordova

2018-12-06 Thread Chris Brody
+1

Major positive points:

* Technical knowledge
* Process and teamwork
* Fairness
* Respect for all

On Thu, Dec 6, 2018, 9:30 PM Shazron  wrote:

> Hello beloved Community!
> I have been the chair of Apache Cordova since around April 2014 (~4.5
> years).
>
> The duties are mostly administrative: board reports, PMC management
> etc. Some of it is listed here in the README:
> https://github.com/apache/cordova-apache-board-reports
>
> I think it is time for new leadership. I have decided to resign my
> duties as the Apache Cordova chair, hopefully for the upcoming new
> year of 2019.
>
> I nominate Jesse MacFadyen as the next chair. Jesse has been with me
> at the start when Cordova was PhoneGap. Although we didn't give birth
> to it, we helped work on improving Cordova from being an infant to
> adulthood (together with our great team), particularly on cordova-ios.
> 10 years is adulthood in software!
>
> He has also contributed greatly to the other platforms and tooling,
> particularly cordova-windows. He has the most experience with helping
> run the Cordova project out of the remaining active contributors.
>
> As an Apache Member (https://www.apache.org/foundation/members.html)
> he also understands and helps uphold 'The Apache Way'
> (https://www.apache.org/foundation/how-it-works.html) and will be a
> great liaison with the Board.
>
> I'm not going anywhere and I will still contribute to the project in
> my areas of expertise.
>
> Thank you.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org
>
>


Re: Nomination for a new chair for Apache Cordova

2018-12-06 Thread gandhi rajan
Hi Shazron,

Thanks for all your hard work and we respect your decision.

+1 to Jesse for his responsiveness and willingness to help others.

On Friday, December 7, 2018, Shazron  wrote:

> Hello beloved Community!
> I have been the chair of Apache Cordova since around April 2014 (~4.5
> years).
>
> The duties are mostly administrative: board reports, PMC management
> etc. Some of it is listed here in the README:
> https://github.com/apache/cordova-apache-board-reports
>
> I think it is time for new leadership. I have decided to resign my
> duties as the Apache Cordova chair, hopefully for the upcoming new
> year of 2019.
>
> I nominate Jesse MacFadyen as the next chair. Jesse has been with me
> at the start when Cordova was PhoneGap. Although we didn't give birth
> to it, we helped work on improving Cordova from being an infant to
> adulthood (together with our great team), particularly on cordova-ios.
> 10 years is adulthood in software!
>
> He has also contributed greatly to the other platforms and tooling,
> particularly cordova-windows. He has the most experience with helping
> run the Cordova project out of the remaining active contributors.
>
> As an Apache Member (https://www.apache.org/foundation/members.html)
> he also understands and helps uphold 'The Apache Way'
> (https://www.apache.org/foundation/how-it-works.html) and will be a
> great liaison with the Board.
>
> I'm not going anywhere and I will still contribute to the project in
> my areas of expertise.
>
> Thank you.
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org
>
>

-- 
Regards,
Gandhi

"The best way to find urself is to lose urself in the service of others !!!"


AW: Nomination for a new chair for Apache Cordova

2018-12-06 Thread Toplak Daniel
Hello Shazron,

thank you for your hard work the last few years and I will totally agree with 
the nomination of Jesse :-)
+1

Grüße / Regards
Daniel Toplak
Head of Mobile Development

> -Ursprüngliche Nachricht-
> Von: Shazron 
> Gesendet: Friday, December 7, 2018 03:30
> An: dev@cordova.apache.org
> Betreff: Nomination for a new chair for Apache Cordova
> 
> Hello beloved Community!
> I have been the chair of Apache Cordova since around April 2014 (~4.5 years).
> 
> The duties are mostly administrative: board reports, PMC management etc. Some
> of it is listed here in the README:
> https://github.com/apache/cordova-apache-board-reports
> 
> I think it is time for new leadership. I have decided to resign my duties as 
> the
> Apache Cordova chair, hopefully for the upcoming new year of 2019.
> 
> I nominate Jesse MacFadyen as the next chair. Jesse has been with me at the 
> start
> when Cordova was PhoneGap. Although we didn't give birth to it, we helped work
> on improving Cordova from being an infant to adulthood (together with our 
> great
> team), particularly on cordova-ios.
> 10 years is adulthood in software!
> 
> He has also contributed greatly to the other platforms and tooling, 
> particularly
> cordova-windows. He has the most experience with helping run the Cordova
> project out of the remaining active contributors.
> 
> As an Apache Member (https://www.apache.org/foundation/members.html)
> he also understands and helps uphold 'The Apache Way'
> (https://www.apache.org/foundation/how-it-works.html) and will be a great 
> liaison
> with the Board.
> 
> I'm not going anywhere and I will still contribute to the project in my areas 
> of
> expertise.
> 
> Thank you.
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
> For additional commands, e-mail: dev-h...@cordova.apache.org