Yes, there is a security issue. And a performance issue. We are flat-out not allowing web views in remote views because:
1. The browser is the #1 attack vector; it is a huge complicated pieces of native code that people continually find vulnerabilities in. 2. The browser also consumes a huge amount of memory. Running the browser in the home app could easily consume 10MB or more of memory that can't be reclaimed while other apps are running. On Wed, Apr 22, 2009 at 12:53 PM, j <jac...@gmail.com> wrote: > > Jeff, > > Thanks for the reply. > > But is there any security implications of allowing a WebView as a > RemoteViews in a widget? Webkit browser is running as a sandbox with > a security model in place so I can't think of potential security > issues by allowing a WebView in a widget. > > > > On Apr 21, 11:45 pm, Jeff Sharkey <jshar...@android.com> wrote: > > There is a list of pre-approved Views that are allowed through > > RemoteViews, mostly for security reasons, and right now WebView isn't > > one of those. > > > > If push updates are really important, you could write the comet code > > in a Service that pushes widget updates to the surface as needed. As > > long as you're not pushing any bitmaps, widget updates are pretty > > fast. > > > > However, if you're considering user interaction, you might launch a > > full-screen app or dialog. > > > > j > > > > On Tue, Apr 21, 2009 at 6:08 PM, j <jac...@gmail.com> wrote: > > > > > Jeff, > > > > > Thanks for the Wkionary sample code on the Android blog. > > > > > I have a general question. Is it possible to set the RemoteView of > > > the widget to a WebView? My goal is to push real time updates to the > > > WebView via the comet technique (HTTP long polling), similar to how > > > Google Talk does it on the desktop browser I suppose. > > > > > Do you think battery life would be significantly impacted with this > > > approach? > > > > -- > > Jeff Sharkey > > jshar...@google.com > > > -- Dianne Hackborn Android framework engineer hack...@android.com Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---