https://issues.apache.org/jira/browse/CB-3576
There are pulls request for adding to iOS & Android that add:
window.open(url, '_blank', 'location=yes,validatessl=no');
Given that this is security-related though, I wanted to get more eyes on
it. Other proposals are to have each questionable cert go through a JS
callback:
var iab = window.open(...);
iab.onSSLError = function(url) {
return !!/^https://myalloweddomain.com\//.exec(url);
};
Or to add a white-list to your config.xml for allowed self-signed https:
addresses.
If your app is not going to validate ssl certs, then perhaps restricting
the scope of it isn't really increasing security anyways. It's certainly
useful for development to be able to turn it off, but maybe for that reason
we should turn it off globally with a <preference> tag?
Thoughts? Willingness from other platforms?
