[New Feature] Change WebSettings of the WebView by config file
Hello, After a few questions about changing an attribute of the WebSettings of the WebView (setAllowFileAccess) here : https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E And : https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E (sorry for bad reply of my second mail who lost historic) I'd like to ask if it is possible to develop a new feature, to allow changing WebSettings of the WebView by config file. Currently, the only way is to hard code settings config here : https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 It would be usefull il we can configure any settings of WebSettings class : https://developer.android.com/reference/android/webkit/WebSettings Maybe with a dedicated config file, or plugged in the config.xml ? I have never worked on gradle project or Android Studio project, so i'm limitted. I'm using cordova-android on an ionic3 application Anybody in the community could help ? And What do you think about the idea ? Thanks to all. Stéphane
Re: [New Feature] Change WebSettings of the WebView by config file
What other use cases besides `setAllowFileAccess` do you see here? -J Am Do., 6. Dez. 2018 um 14:36 Uhr schrieb MALEYRIE Stephane (AIM Services) : > > Hello, > > After a few questions about changing an attribute of the WebSettings of the > WebView (setAllowFileAccess) here : > https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E > And : > https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E > (sorry for bad reply of my second mail who lost historic) > > I'd like to ask if it is possible to develop a new feature, to allow changing > WebSettings of the WebView by config file. > > Currently, the only way is to hard code settings config here : > https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 > > It would be usefull il we can configure any settings of WebSettings class : > https://developer.android.com/reference/android/webkit/WebSettings > Maybe with a dedicated config file, or plugged in the config.xml ? > > I have never worked on gradle project or Android Studio project, so i'm > limitted. I'm using cordova-android on an ionic3 application > Anybody in the community could help ? And What do you think about the idea ? > > Thanks to all. > > Stéphane - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Re: [New Feature] Change WebSettings of the WebView by config file
> After a few questions about changing an attribute of the WebSettings of the > WebView (setAllowFileAccess) here : > https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E > And : > https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E > (sorry for bad reply of my second mail who lost historic) I read through the other threads. The two problems right now are that cordova-plugin-fcm does not work with cordova-android@7 and you need to do settings.setAllowFileAccess(false). I think you are right to maintain a private fork of cordova-android@6 for now. I recommend that you guys watch the issues and updates on our cordova-android project for anything important. There were npm security audit issues on some old dependencies, which we fixed in cordova-android@7. > I'd like to ask if it is possible to develop a new feature, to allow changing > WebSettings of the WebView by config file. That should be possible. I am personally not so familiar with the configuration part, would need some time to figure out how we could do this. I would favor a process of identifying the use cases before going deeper, as Jan asked. - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Re: [New Feature] Change WebSettings of the WebView by config file
> I read through the other threads. [...] Please reply to questions from other threads in these threads instead of interlinking two discussions that are about related, but different things. Thanks. -J Am Do., 6. Dez. 2018 um 16:16 Uhr schrieb Chris Brody : > > > After a few questions about changing an attribute of the WebSettings of the > > WebView (setAllowFileAccess) here : > > https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E > > And : > > https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E > > (sorry for bad reply of my second mail who lost historic) > > I read through the other threads. The two problems right now are that > cordova-plugin-fcm does not work with cordova-android@7 and you need > to do settings.setAllowFileAccess(false). > > I think you are right to maintain a private fork of cordova-android@6 > for now. I recommend that you guys watch the issues and updates on our > cordova-android project for anything important. There were npm > security audit issues on some old dependencies, which we fixed in > cordova-android@7. > > > I'd like to ask if it is possible to develop a new feature, to allow > > changing WebSettings of the WebView by config file. > > That should be possible. I am personally not so familiar with the > configuration part, would need some time to figure out how we could do > this. I would favor a process of identifying the use cases before > going deeper, as Jan asked. > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Re: [New Feature] Change WebSettings of the WebView by config file
I think this should be possible with preference tags in the config.xml, we should be able to read them and set those values to true or false, being the default the current one so it's not a breaking change. El jue., 6 dic. 2018 a las 16:45, Jan Piotrowski () escribió: > > I read through the other threads. [...] > > Please reply to questions from other threads in these threads instead > of interlinking two discussions that are about related, but different > things. Thanks. > > > > -J > > > Am Do., 6. Dez. 2018 um 16:16 Uhr schrieb Chris Brody < > chris.br...@gmail.com>: > > > > > After a few questions about changing an attribute of the WebSettings > of the WebView (setAllowFileAccess) here : > https://lists.apache.org/thread.html/3b97152bf089423292ba039bc690d923e438c4f902c40c2714faff90@%3Cdev.cordova.apache.org%3E > > > And : > https://lists.apache.org/thread.html/1865cda074ad5d741bd19d01a56cc5b2b4ac6e2a599d31b34f89eed6@%3Cdev.cordova.apache.org%3E > > > (sorry for bad reply of my second mail who lost historic) > > > > I read through the other threads. The two problems right now are that > > cordova-plugin-fcm does not work with cordova-android@7 and you need > > to do settings.setAllowFileAccess(false). > > > > I think you are right to maintain a private fork of cordova-android@6 > > for now. I recommend that you guys watch the issues and updates on our > > cordova-android project for anything important. There were npm > > security audit issues on some old dependencies, which we fixed in > > cordova-android@7. > > > > > I'd like to ask if it is possible to develop a new feature, to allow > changing WebSettings of the WebView by config file. > > > > That should be possible. I am personally not so familiar with the > > configuration part, would need some time to figure out how we could do > > this. I would favor a process of identifying the use cases before > > going deeper, as Jan asked. > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
Re: How to disable in Android Webview, the WebSettings attributes "AllowFileAccess" in cordova-android ?
On the one hand, I can see why this would get flagged by a security audit, because it opens the risk of 3rd party sites/scripts having uncontrolled access to the filesystem. On the other hand, changing this preference will break the most common Cordova use case, where files are served from the app bundle instead of from a remote URL. We could add a preference for this, but it would need a bunch of documentation to explain that it only affects Android, and to explain clearly what it does and when you might need to enable it. A lot of apps would break if people just turned it on as "good security practice" without understanding the implications. On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services) wrote: > > Hello all, > > Thanks for your answers. > > I understand that new features will be only available on master release, with > no back port. > I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on > cordova-android 7.x : > https://github.com/fechanique/cordova-plugin-fcm/issues/470 > https://github.com/fechanique/cordova-plugin-fcm/issues/535 > > About the security issue : > I found an exemple here: > https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/ > It's about loadUrl of file:// type url > In Cordova plugin whitelist doc, it alwayse accept any type of file://url ... > So, it doesn't seems to solve the issue. > > We've tried to make a plugin to change it, but it doesn't work, seems to be > too late in the process. > For now, we plan to make a private fork of cordova-android-plugin to add the > line « settings.setAllowFileAccess(false);» here : > https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 > > About this idea, more generally, it'd be usefull to configure any WebSettings > of the WebView, and not only the allowFileAccess attribute... > Maybe, it could be possible by java reflection, using a config file > containing attributes names and theirs value ? > I will send a new email/thread for this. > > Thanks again. > > Stéphane > - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Re: How to disable in Android Webview, the WebSettings attributes "AllowFileAccess" in cordova-android ?
supposedly the files served from assets folder will still work (but didn't try) El jue., 6 dic. 2018 a las 16:55, Darryl Pogue () escribió: > On the one hand, I can see why this would get flagged by a security > audit, because it opens the risk of 3rd party sites/scripts having > uncontrolled access to the filesystem. > On the other hand, changing this preference will break the most common > Cordova use case, where files are served from the app bundle instead > of from a remote URL. > > We could add a preference for this, but it would need a bunch of > documentation to explain that it only affects Android, and to explain > clearly what it does and when you might need to enable it. A lot of > apps would break if people just turned it on as "good security > practice" without understanding the implications. > > On Wed, Dec 5, 2018 at 7:57 AM MALEYRIE Stephane (AIM Services) > wrote: > > > > Hello all, > > > > Thanks for your answers. > > > > I understand that new features will be only available on master release, > with no back port. > > I use cordova 6.4.0 because there is an issue with cordova-plugin-fcm on > cordova-android 7.x : > > https://github.com/fechanique/cordova-plugin-fcm/issues/470 > > https://github.com/fechanique/cordova-plugin-fcm/issues/535 > > > > About the security issue : > > I found an exemple here: > https://blog.trustlook.com/2018/01/19/android-webview-class-poses-significant-security-risk/ > > It's about loadUrl of file:// type url > > In Cordova plugin whitelist doc, it alwayse accept any type of > file://url ... > > So, it doesn't seems to solve the issue. > > > > We've tried to make a plugin to change it, but it doesn't work, seems to > be too late in the process. > > For now, we plan to make a private fork of cordova-android-plugin to add > the line « settings.setAllowFileAccess(false);» here : > https://github.com/apache/cordova-android/blob/6.4.x/framework/src/org/apache/cordova/engine/SystemWebViewEngine.java#L152 > > > > About this idea, more generally, it'd be usefull to configure any > WebSettings of the WebView, and not only the allowFileAccess attribute... > > Maybe, it could be possible by java reflection, using a config file > containing attributes names and theirs value ? > > I will send a new email/thread for this. > > > > Thanks again. > > > > Stéphane > > > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
Nomination for a new chair for Apache Cordova
Hello beloved Community! I have been the chair of Apache Cordova since around April 2014 (~4.5 years). The duties are mostly administrative: board reports, PMC management etc. Some of it is listed here in the README: https://github.com/apache/cordova-apache-board-reports I think it is time for new leadership. I have decided to resign my duties as the Apache Cordova chair, hopefully for the upcoming new year of 2019. I nominate Jesse MacFadyen as the next chair. Jesse has been with me at the start when Cordova was PhoneGap. Although we didn't give birth to it, we helped work on improving Cordova from being an infant to adulthood (together with our great team), particularly on cordova-ios. 10 years is adulthood in software! He has also contributed greatly to the other platforms and tooling, particularly cordova-windows. He has the most experience with helping run the Cordova project out of the remaining active contributors. As an Apache Member (https://www.apache.org/foundation/members.html) he also understands and helps uphold 'The Apache Way' (https://www.apache.org/foundation/how-it-works.html) and will be a great liaison with the Board. I'm not going anywhere and I will still contribute to the project in my areas of expertise. Thank you. - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Nightly build #933 for cordova has failed
Nightly build #933 for cordova has failed. Please check failure details on build details page at https://builds.apache.org/job/cordova-nightly/933/ You can also take a look at build console: https://builds.apache.org/job/cordova-nightly/933/consoleFull - Jenkins for Apache Cordova - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
Re: Nomination for a new chair for Apache Cordova
+1 Major positive points: * Technical knowledge * Process and teamwork * Fairness * Respect for all On Thu, Dec 6, 2018, 9:30 PM Shazron wrote: > Hello beloved Community! > I have been the chair of Apache Cordova since around April 2014 (~4.5 > years). > > The duties are mostly administrative: board reports, PMC management > etc. Some of it is listed here in the README: > https://github.com/apache/cordova-apache-board-reports > > I think it is time for new leadership. I have decided to resign my > duties as the Apache Cordova chair, hopefully for the upcoming new > year of 2019. > > I nominate Jesse MacFadyen as the next chair. Jesse has been with me > at the start when Cordova was PhoneGap. Although we didn't give birth > to it, we helped work on improving Cordova from being an infant to > adulthood (together with our great team), particularly on cordova-ios. > 10 years is adulthood in software! > > He has also contributed greatly to the other platforms and tooling, > particularly cordova-windows. He has the most experience with helping > run the Cordova project out of the remaining active contributors. > > As an Apache Member (https://www.apache.org/foundation/members.html) > he also understands and helps uphold 'The Apache Way' > (https://www.apache.org/foundation/how-it-works.html) and will be a > great liaison with the Board. > > I'm not going anywhere and I will still contribute to the project in > my areas of expertise. > > Thank you. > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > >
Re: Nomination for a new chair for Apache Cordova
Hi Shazron, Thanks for all your hard work and we respect your decision. +1 to Jesse for his responsiveness and willingness to help others. On Friday, December 7, 2018, Shazron wrote: > Hello beloved Community! > I have been the chair of Apache Cordova since around April 2014 (~4.5 > years). > > The duties are mostly administrative: board reports, PMC management > etc. Some of it is listed here in the README: > https://github.com/apache/cordova-apache-board-reports > > I think it is time for new leadership. I have decided to resign my > duties as the Apache Cordova chair, hopefully for the upcoming new > year of 2019. > > I nominate Jesse MacFadyen as the next chair. Jesse has been with me > at the start when Cordova was PhoneGap. Although we didn't give birth > to it, we helped work on improving Cordova from being an infant to > adulthood (together with our great team), particularly on cordova-ios. > 10 years is adulthood in software! > > He has also contributed greatly to the other platforms and tooling, > particularly cordova-windows. He has the most experience with helping > run the Cordova project out of the remaining active contributors. > > As an Apache Member (https://www.apache.org/foundation/members.html) > he also understands and helps uphold 'The Apache Way' > (https://www.apache.org/foundation/how-it-works.html) and will be a > great liaison with the Board. > > I'm not going anywhere and I will still contribute to the project in > my areas of expertise. > > Thank you. > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org > > -- Regards, Gandhi "The best way to find urself is to lose urself in the service of others !!!"
AW: Nomination for a new chair for Apache Cordova
Hello Shazron, thank you for your hard work the last few years and I will totally agree with the nomination of Jesse :-) +1 Grüße / Regards Daniel Toplak Head of Mobile Development > -Ursprüngliche Nachricht- > Von: Shazron > Gesendet: Friday, December 7, 2018 03:30 > An: dev@cordova.apache.org > Betreff: Nomination for a new chair for Apache Cordova > > Hello beloved Community! > I have been the chair of Apache Cordova since around April 2014 (~4.5 years). > > The duties are mostly administrative: board reports, PMC management etc. Some > of it is listed here in the README: > https://github.com/apache/cordova-apache-board-reports > > I think it is time for new leadership. I have decided to resign my duties as > the > Apache Cordova chair, hopefully for the upcoming new year of 2019. > > I nominate Jesse MacFadyen as the next chair. Jesse has been with me at the > start > when Cordova was PhoneGap. Although we didn't give birth to it, we helped work > on improving Cordova from being an infant to adulthood (together with our > great > team), particularly on cordova-ios. > 10 years is adulthood in software! > > He has also contributed greatly to the other platforms and tooling, > particularly > cordova-windows. He has the most experience with helping run the Cordova > project out of the remaining active contributors. > > As an Apache Member (https://www.apache.org/foundation/members.html) > he also understands and helps uphold 'The Apache Way' > (https://www.apache.org/foundation/how-it-works.html) and will be a great > liaison > with the Board. > > I'm not going anywhere and I will still contribute to the project in my areas > of > expertise. > > Thank you. > > - > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > For additional commands, e-mail: dev-h...@cordova.apache.org