[2/2] docs commit: CB-8715 Update security guide for whitelist changes in Android 4.0.0 (close #272)

[ag...@apache.org]

CB-8715 Update security guide for whitelist changes in Android 4.0.0 (close #272)


Project: http://git-wip-us.apache.org/repos/asf/cordova-docs/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-docs/commit/074944bb
Tree: http://git-wip-us.apache.org/repos/asf/cordova-docs/tree/074944bb
Diff: http://git-wip-us.apache.org/repos/asf/cordova-docs/diff/074944bb

Branch: refs/heads/master
Commit: 074944bba598f573d08c9a08ebe1fcba31e0165b
Parents: 53a189b
Author: Jason Chase <ja...@gmail.com>
Authored: Tue Mar 24 23:10:54 2015 -0400
Committer: Andrew Grieve <ag...@chromium.org>
Committed: Wed Mar 25 09:40:20 2015 -0400

----------------------------------------------------------------------
 docs/en/edge/guide/appdev/security/index.md | 10 ----------
 1 file changed, 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cordova-docs/blob/074944bb/docs/en/edge/guide/appdev/security/index.md
----------------------------------------------------------------------
diff --git a/docs/en/edge/guide/appdev/security/index.md b/docs/en/edge/guide/appdev/security/index.md
index 541e87f..9a8995e 100644
--- a/docs/en/edge/guide/appdev/security/index.md
+++ b/docs/en/edge/guide/appdev/security/index.md
@@ -34,18 +34,8 @@ The following guide includes some security best practices that you should consid
 
 * Read and understand the Whitelist Guide
 
-* By default, the Whitelist on a newly created app will allow access to every domain through the `<access>` tag: 
-     `<access origin="*">`
-If you want network requests to be evaluated against the whitelist, then it is important to change this and only allow the domains to which you need access. This can be done by editing the application-level config file located at:
-     `{project}/config.xml` (recent projects) or `{project}/www/config.xml` (older projects)
-
-* Android's Whitelist on Cordova 2.9.x is considered secure, however, it was discovered that if foo.com is included in the whitelist, foo.com.evil.com would be able to pass the whitelist test. This was fixed in Cordova 3.x.  
-
 * Domain whitelisting does not work on Android API 10 and below, and WP8 for iframes and XMLHttpRequest. This means an attacker can load any domain in an iframe and any script on that page within the iframe can directly access Cordova JavaScript objects and the corresponding native Java objects. You should take this into consideration when building applications for these platforms. In practice this means making sure you target an Android API higher than 10, and that if possible you do not use an iframe to load external content - use the inAppBrowser plugin or other third-party plugins. 
 
-* On Android, as of Cordova 3.6.0, it is now necessary to whitelist URLs outside of your application, if your application generates links to those URLs. If you application generates `tel:`, `geo:`, `sms:`, `intent:` or similar URLs, or provides links to external content which you expect to open up in the user's browser, then you will need to update your whitelist. See the Whitelist Guide for details.
-
-
 ## Iframes and the Callback Id Mechanism
 
 If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge. This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions. Because of this, you should generally not use iframes unless you control the server that hosts the iframe content.  Also note that there are third party plugins available to support advertising networks. Note that this statement is not true for iOS, which intercepts everything including iframe connections. 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org