Yes, there is a security issue.  And a performance issue.  We are flat-out
not allowing web views in remote views because:

1. The browser is the #1 attack vector; it is a huge complicated pieces of
native code that people continually find vulnerabilities in.
2. The browser also consumes a huge amount of memory.  Running the browser
in the home app could easily consume 10MB or more of memory that can't be
reclaimed while other apps are running.

On Wed, Apr 22, 2009 at 12:53 PM, j <jac...@gmail.com> wrote:

>
> Jeff,
>
> Thanks for the reply.
>
> But is there any security implications of allowing a WebView as a
> RemoteViews in a widget?  Webkit browser is running as a sandbox with
> a security model in place so I can't think of potential security
> issues by allowing a WebView in a widget.
>
>
>
> On Apr 21, 11:45 pm, Jeff Sharkey <jshar...@android.com> wrote:
> > There is a list of pre-approved Views that are allowed through
> > RemoteViews, mostly for security reasons, and right now WebView isn't
> > one of those.
> >
> > If push updates are really important, you could write the comet code
> > in a Service that pushes widget updates to the surface as needed.  As
> > long as you're not pushing any bitmaps, widget updates are pretty
> > fast.
> >
> > However, if you're considering user interaction, you might launch a
> > full-screen app or dialog.
> >
> > j
> >
> > On Tue, Apr 21, 2009 at 6:08 PM, j <jac...@gmail.com> wrote:
> >
> > > Jeff,
> >
> > > Thanks for the Wkionary sample code on the Android blog.
> >
> > > I have a general question.  Is it possible to set the RemoteView of
> > > the widget to a WebView?  My goal is to push real time updates to the
> > > WebView via the comet technique (HTTP long polling), similar to how
> > > Google Talk does it on the desktop browser I suppose.
> >
> > > Do you think battery life would be significantly impacted with this
> > > approach?
> >
> > --
> > Jeff Sharkey
> > jshar...@google.com
> >
>


-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to