Open nicodh opened 1 month ago
Simon-Laux
commented
1 month ago webrtc can access anywhere, so no, there is still a need to prefill/disable it. especially if we want to make these extension-xdc user replaceable. Also internet access is heavily limited, at least on desktop it only lets requests to openstreetmaps go through.
hpk42
commented
1 month ago On Sat, May 25, 2024 at 06:10 -0700, Simon Laux wrote:
webrtc can access anywhere, so no, there is still a need to prefill/disable it. especially if we want to make these extension-xdc user replaceable.
we can surely grant our own shipped map-xdc the right to not run FILL500. FILL500 is for untrusted/3rd party code that we don't know. If users replace the map app (in the future) we could do FILL 500 still but not sure that's a 1.46 concern at all.
nicodh
commented
1 month ago I would suggest to set a list of URLS in the advanced settings which are accessible and set openstreetmap.org as a prefilled default (when location streaming is enabled) Then it's more transparent which URLs maybe accessed and that openstreetmap.org is provided by default and it is extendable in a transparent way...
Simon-Laux
commented
1 month ago my opinion: use the core http api for fetching the tiles + maybe specify allowed domains in the webxdc manifest
Noneed to prefill all 500 connections if internet access is allowed anyway