You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by GitBox <gi...@apache.org> on 2019/08/19 12:56:00 UTC
[GitHub] [cordova-android] breautek edited a comment on issue #812: Allowed
unsecured hosts list.
breautek edited a comment on issue #812: Allowed unsecured hosts list.
URL: https://github.com/apache/cordova-android/issues/812#issuecomment-522560787
For iOS, it is possible because cordova offers an ability to modify the plist file via `<edit-config>`. This doesn't mean it's a good idea (in my opinion...)
Allowing this kind of configuration on release mode could trigger Google Play's security detection algorithm as APKs uploaded to the google play store is automatically scanned for potential security issues as described [here](https://developer.android.com/google/play/asi). I am assuming you want a release mode so that you can use Google Play as a distributor for your testers.
Because of this, I don't think I can say I'm in favour of this request. The alternatives would be to install a verified cert on your staging server or distribute a debug APK that your testers can side-load.
I should also mention that I don't represent Cordova, and this is just my personal opinion.
Should this feature request be fulfilled, then this [documentation](https://developer.android.com/training/articles/security-ssl#UnknownCa) will likely help implement it in a secure manner, which involves providing a set of CAs that are considered trustworthy, rather than simply accepting "trustworthy" domains which can easily be vulnerable to DNS trickery.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org