-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Determine if cleartextTraffic flag is required on Android #1060
Comments
I managed to trace this down to this PR: #104. The main reason for keeping this would be if a Lemmy post contains an external link to a HTTP site (or potentially a HTTP link which redirects to its HTTPS counterpart) I believe we might be able to remove this, but users may encounter this issue in the future (although it might be rare) |
Is it possible that that error was specifically related to the fact that we were loading and rendering web page links in-app using |
I think that might've been the case. I'm not sure if this issue will still happen with the custom_tabs, or if custom_tabs understands to automatically redirect HTTP -> HTTPS |
My understanding is that custom tabs isn't doing anything except to invoke that feature in your default browser. It should be up to Firefox/Chrome/Safari to either redirect or show an appropriate warning. I'd be tempted to take out this line, especially if it's a requirement for Izzy (or to avoid a bad label 😆), and see what happens. |
It's not a strict requirement – this is just a "warning" that something might be not as it should. If there's a good reason to need the flag, I can put it on the allow-list for Thunder. So take your time to make sure you really don't need it before removing it. Nothing is "handed up" for display yet, currently it's just "internal handling" (to detect possible "dangerous" things and report them to the corresponding app authors to check). At some later point I might make this visible to visitors of the app's page on my website, but that's unlikely to happen very soon. First all checks need to be in place and confirmed working as intended, which will at least take until spring. |
What we can do here is release a nightly build with this change to see if it affects anyone on the using those builds. From here, we'll get a good sense of whether or not I don't expect to be releasing a general build anytime soon (~1 month) so that should give us enough data to go off of! I'll rename this issue to a more suitable title |
|
Thanks! Confirmed it gone: If you want to let that android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
} For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. |
My updater (having been enhanced with additional security checks recently) just informed me:
which refers to your definition here. By default, that option is disabled, so it must have been enabled explicitly at one point for some reason. Is that reason still standing (if so, what is it?) – or can that line be removed? I don't think there's a Lemmy instance out there not secured by HTTPS/SSL, so I'd guess Thunder won't need to make any request using "insecure channels"?
Thanks in advance for clarification!
The text was updated successfully, but these errors were encountered: