NiklasMerz commented on issue #602: Adding info about usesCleartextTraffic URL: https://github.com/apache/cordova-plugin-inappbrowser/pull/602#issuecomment-571169979 Thank you for documenting this. Since this is not only applicable to InAppBrowser. This change should probably done in the general Cordova Android documentation: https://github.com/apache/cordova-docs/blob/master/www/docs/en/dev/guide/platforms/android/index.md It may be helpful for developers with certain requirements, but users should know what this means in terms of security. Maybe we should add this to the docs with a warning from the Android documenation: > Indicates whether the app intends to use cleartext network traffic, such as cleartext HTTP. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". When the attribute is set to "false", platform components (for example, HTTP and FTP stacks, DownloadManager, and MediaPlayer) will refuse the app’s requests to use cleartext traffic. Third-party libraries are strongly encouraged to honor this setting as well. The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org For additional commands, e-mail: commits-h...@cordova.apache.org
