cleartext traffic?

[IzzySoft]

I just saw Kaiteki has the android:usesCleartextTraffic flag set. Are there any Fedi sites out there not being secured by SSL, or what is the reason for this? Just wondering – and appreciating a hint (or short explanation) with this "friendly request" (not a complaint 😉) Thanks in advance!

[Craftplacer]

One of Kaiteki's authentication methods is starting a new local web server (for OAuth), but since we are definitely not going to enter the rabbit hole of providing a self-signed certificate for that local web server, the flag has to be enabled so the WebView inside the app would navigate to the callback page successfully.

This behavior has been mentioned here: https://kaiteki.app/help/auth/

[Craftplacer]

It could be considered removing it again, since the app shouldn't use WebViews for that.

I remember url_launcher causing all kinds of issues, especially UX-wise, since it took up the full-screen, instead of just falling back to a web browser by default.

[IzzySoft]

Thanks for the details! I've added it to the allow-list for now. Let's leave this issue open until you decide whether removal is feasible. I should then get a notification when you're closing it, ideally with a comment of the decision, so we can see then if the allow should be revoked (to catch in case some library unintentionally adds it back).