Updated Proposed Whitelist System section
diff --git a/proposals/ios-whitelist-removal.md b/proposals/ios-whitelist-removal.md
index 335915b..e434101 100644
--- a/proposals/ios-whitelist-removal.md
+++ b/proposals/ios-whitelist-removal.md
@@ -5,13 +5,15 @@
In the diagrams, CSP refers to [Content-Security Policy](https://developer.mozilla.org/en-US/docs/Web/Security/CSP) and ATS refers to [App Transport Security](https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33).
These two components are built-in to iOS, and are not part of Apache Cordova.
+The native whitelist component pictured is Apache Cordova's [cordova-plugin-whitelist](https://github.com/apache/cordova-plugin-whitelist) which is new for cordova-ios-4x.
+
## Current Whitelist System
All connections in the WebView *must* be whitelisted in the `CSP` *and* also be whitelisted in native through the `<access>` tag in `config.xml`. In the last released version of the `cordova-cli`, all `<access>` tags are automatically converted to `ATS` directives in the app's `Info.plist` file.
-There is a deficiency in `cordova-plugin-whitelist` in that `WKWebView` connections are not whitelisted while on iOS 8 (because its connections cannot be intercepted using NSURLProtocol). On iOS 9, `WKWebView` connections are whitelisted and intercepted by ATS.
+There is a deficiency in `cordova-plugin-whitelist` in that `WKWebView` connections are not whitelisted while on iOS 8 (because WKWebView connections cannot be intercepted using NSURLProtocol). On iOS 9, `WKWebView` connections are whitelisted and intercepted by ATS.
There is one difference in whitelisting through `ATS` and cordova-plugin-whitelist: a wildcard `*` in `cordova-plugin-whitelist` means all connections are accepted, while in `ATS` it means the same except that you can also restrict certain domains to connect through https or a certain TLS version, for example.
@@ -23,4 +25,16 @@
-TODO:
\ No newline at end of file
+The proposed whitelist system here requires us to remove:
+1. The [iteration of plugins](https://github.com/apache/cordova-ios/blob/0ec2949d9b37495da6504867bfb371bd868242f0/CordovaLib/Classes/Public/CDVViewController.m#L518) to see if they conform to the [protocol methods](https://github.com/apache/cordova-ios/blob/master/CordovaLib/Classes/Public/CDVURLRequestFilter.h)
+2. Usage of the [cordova-plugin-whitelist](https://github.com/apache/cordova-plugin-whitelist) itself
+
+This simplifies things in that we rely solely on iOS to handle security functionality -- Apple is a far better expert than us to handle these things.
+
+Developers still have to specify `<access>` tags to whitelist domains when they are whitelisted to in the `CSP` however.
+
+An automatic `CSP to <access> tag` parser was proposed (through `cordova-lib` ios parser) -- this could work but at an expense of backwards-compatibility.
+
+Note however that adoption of this proposal basically removes all whitelist functionality for iOS versions 8 and below.
+
+
