From a08854eaf0f67cff34279a6cbad9f223ef61d585 Mon Sep 17 00:00:00 2001
From: Anis Kadri <anis.kadri@gmail.com>
Date: Thu, 20 Oct 2011 15:09:48 -0700
Subject: [PATCH] improved whitelisting

---
 framework/src/com/phonegap/DroidGap.java | 38 +++++++++++++++++++-----
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/framework/src/com/phonegap/DroidGap.java b/framework/src/com/phonegap/DroidGap.java
index 3f79ec7f..4cf73af0 100755
--- a/framework/src/com/phonegap/DroidGap.java
+++ b/framework/src/com/phonegap/DroidGap.java
@@ -1665,13 +1665,35 @@ public class DroidGap extends PhonegapActivity {
      * @param subdomains    T=include all subdomains under origin
      */
     public void addWhiteListEntry(String origin, boolean subdomains) {
-        if (subdomains) {
-            LOG.d(TAG, "Origin to allow with subdomains: %s", origin);
-            whiteList.add(Pattern.compile(origin.replaceFirst("https{0,1}://", "^https{0,1}://.*")));
-        } else {
-            LOG.d(TAG, "Origin to allow: %s", origin);
-            whiteList.add(Pattern.compile(origin.replaceFirst("https{0,1}://", "^https{0,1}://")));
-        }    
+      try {
+        // Unlimited access to network resources
+        if(origin.compareTo("*") == 0) {
+            LOG.d(TAG, "Unlimited access to network resources");
+            whiteList.add(Pattern.compile("*"));
+        } else { // specific access
+          // check if subdomains should be included
+          // TODO: we should not add more domains if * has already been added
+          if (subdomains) {
+              // XXX making it stupid friendly for people who forget to include protocol/SSL
+              if(origin.startsWith("http")) {
+                whiteList.add(Pattern.compile(origin.replaceFirst("https{0,1}://", "^https{0,1}://.*")));
+              } else {
+                whiteList.add(Pattern.compile("^https{0,1}://.*"+origin));
+              }
+              LOG.d(TAG, "Origin to allow with subdomains: %s", origin);
+          } else {
+              // XXX making it stupid friendly for people who forget to include protocol/SSL
+              if(origin.startsWith("http")) {
+                whiteList.add(Pattern.compile(origin.replaceFirst("https{0,1}://", "^https{0,1}://")));
+              } else {
+                whiteList.add(Pattern.compile("^https{0,1}://"+origin));
+              }
+              LOG.d(TAG, "Origin to allow: %s", origin);
+          }    
+        }
+      } catch(Exception e) {
+        LOG.d(TAG, "Failed to add origin %s", origin);
+      }
     }
 
     /**
@@ -1702,4 +1724,4 @@ public class DroidGap extends PhonegapActivity {
         return false;
     }
 
-}
\ No newline at end of file
+}