-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cleartext HTTP traffic not permitted #451
Comments
Is this still true, or could that flag be removed? I've enabled additional security checks in my repo lately, so the latest update just raised:
If it's still needed, I'll add it to the app's allow-list here. Otherwise it would be preferable to remove the flag again, for more security. Thanks in advance for clarification, @AEFeinstein! |
This isn't true anymore, and you can see that the app uses https when fetching data from gatherer.wizards.com. The comment in the source code is also outdated. Wizards of the Coast has had issues keeping their certificates up to date, but they're OK (for now...). |
Fix regex URLs in the comprehensive rules
I removed |
Thanks! Then the next release should no longer raise a warning from my scanner. Thanks for the swift action! |
No problem! It's a little unfortunate that I released 3.9.9 earlier today, but that's the way it is. |
No problem with that – this is no CVE. If the next update has it fixed, that's fully sufficient. And had you not released "earlier today", I had not reported it "earlier today" as my scanner had not made me aware 🤷♂️ |
Oh, haha, I thought it was a coincidence. That makes more sense! |
Yupp. Details here in case you're curious: additional APK checks. Currently I have to open about 10 issues per day, as every 3rd app or so receiving its first update since activation of the new scans triggers something (which is I why do not enable all the checks at once, or I couldn't keep up). I guess "full enable" will follow around February (and then cause another wave). Somewhere in April I might have to trigger a manual scan for the latest release of every app in my repo, to also catch those that had not yet received updates. But that I'll not do before the other waves have rolled out. Interesting things that popped up there. On the good side, my reports have always been well-received (on the bad side, more than half of them have not been answered at all) – and several apps had either their security or their documentation improved as result, or both. Several cases were self-explaining (like an app manager requesting So yeah, in the end this will have improved security in my repo – and in many of its apps. Stay tuned to get hit again when all checks are active 🙈 |
Ten issues a day? I wonder if you could automate github issue creation (though that assumes the project is hosted on github). Can't wait to get hit again! |
Only initially, will slow down when all apps have been covered once. And yesterday it were less than 5 (plus a few apps were the reason was obvious, so I just updated their allow-list).
Could probably done via email. But until I have figured out how and configured the process, it will have slowed down. Nah, not worth it I guess. I prefer deciding myself and keep the "human factor" in 😉
🤣 It's really great that my reports are met with such warm responses, thanks! |
Android 9 doesn't support HTTP, it requires HTTPS. But Gatherer doesn't use HTTPS. Gotta enable plain HTTP support in the manifest.
The text was updated successfully, but these errors were encountered: