There are two different files here: one is defaults.xml, which the CLI takes as the basis for its platform config.xml. The other is the config.xml that you get after running bin/create. In the CLI world, that second file is immediately overwritten by one created from defaults.xml, the top-level app config.xml, etc.
I support the second point of removing the <access origin="*" /> from the CLI's hello world template app; it should be turned into a comment. I don't think we should be including <access origin="*" /> by default anywhere, unless we really do want to disable the whitelist on that platform. And if we do want to disable it, why not in the native code instead of allowing everything by default? Braden On Tue, Dec 3, 2013 at 8:04 AM, Michal Mocny <mmo...@google.com> wrote: > On ios, the default config.xml file (aka the platform defaults) is bundled > as part of the ios project template, and the project template is easy to > override using flags to create script / CLI config options. Easy, great. > > For android, the default config.xml file is bundled with the platform > framework itself and not as part of the project template. I assume this is > not easy to fix, otherwise we would have made the change already? > > Since the <access> tag is additive (i.e. cannot just override it by > appending), there is no way to remove that default without reaching in and > editing cordova-android/framework/res/xml/config.xml file directly (either > with a custom post-platform-add hook to run sed, or by forking > cordova-android to change the default, both shitty options imho). > > Any suggestions on how to fix this? > > I was hoping to propose that we move the tag out of all the platform > templates and instead add it to the hello-world app template -- but I think > that won't work well with the platform-scripts workflow since that flow > doesn't use an application level config.xml at all right now. > > > Second, related issue: cordova-cli bundles a default application config.xml > file, which also includes <access origin="*"/>. I think this is just > unnecessary and should be removed. > > > -Michal > > p.s. as an aside, I thought we were moving the default platform config.xml > out into a file called "defaults.xml"? It seems only the good folks at > blackberry have done that so far.. >
