Brain I think that's OK at development time everything is fair game :-) The problem is developers doing stupid things like loading a cordova.js from a place they don't know for a in production app being used by end users, that's just kamikaze
That's OK if they want to shoot themselves in the foot, but then don't come crying to JIRA claiming that is a problem with Cordova project. On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <[email protected]> wrote: > phonegap-connect serves up remote cordova.js (negotiates the requestor to > send the right file) > > no deaths yet! > > > https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29 > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <[email protected]> wrote: > > > That's a good difference to point out. > > > > >My personal position is that scenarios where developer is in control and > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid > > >scenario for Cordova > > > > I agree, because as cordova.js and cordovaLib are version linked, it > makes > > sense that once an index.html is pulled in, it's cordova.js to load is > > already in the client application. > > Loading an external cordova.js would be suicidal. So we save the file > > locally to write into it's <HEAD> our known path to codova.js > > > > > > > > > > > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <[email protected]> > > wrote: > > > > > I want to make clarification there is a notable difference between > > loading > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a > downloaded > > > webapp to be loaded from a *local* HTML. > > > > > > IBM Worklight has a feature "Direct update" > > > > > > > > > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en > > > > > > The scenario is a download and local load of html/cordova. Similar > > scenario > > > as spellcaster and appmobi > > > For this scenario there is control from app developer of the code being > > > loaded. > > > > > > What Marcel is asking is a *non-local* load of arbitrary html/code not > > > control by developer, developer loading a free html page own someone > else > > > and doing kind of a "document.location.replace(' > > > http://somerandom.com/thisotherguy.html')" > > > > > > My personal position is that scenarios where developer is in control > and > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid > > > scenario for Cordova. loading a random cordova.js directly from a > > non-local > > > random place not guarantee to be supported. > > > > > > > > > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <[email protected]> wrote: > > > > > > > Very much so. So much so, I think we should even consider such > > > > functionality as 'core'. Could dovetail w/ Serviceworker. > > > > > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <[email protected] > > > > > > wrote: > > > > > > > > > I think this is a very desired plugin that many end up re-writing, > > and > > > > it's > > > > > far better than setting the content src directly to a remote URL. > > > > > > > > > > E.g. just stumbled across this yesterday: > > > > > http://docs.appmobi.com/index.php/live-update/ > > > > > > > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <[email protected] > > > > > > wrote: > > > > > > > > > > > Make it available Ally, of course that sounds interesting! > > > > > > > > > > > > I'm sure a few of us have suggestions for improvements too. > > > > > > > > > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie < > [email protected] > > > > > > > > wrote: > > > > > > > > > > > > > Marcel, Sorry for the late reply. > > > > > > > > > > > > > > For some games that I produce where the entire game is served > to > > > the > > > > > > client > > > > > > > (requires no .html in the application) we have a tool called > > > > > > "spellcaster". > > > > > > > Spellcaster handles internet connectivity, localisation and > > Cordova > > > > > code > > > > > > > injection. It works as follows: > > > > > > > > > > > > > > One simply adds an application URL to Cordova's config.xml in > > > > <content > > > > > > > src=YOUR_URL_HERE> > > > > > > > > > > > > > > - Spellcaster will check for an active internet connection. If > > one > > > is > > > > > not > > > > > > > found Spellcaster will continue retrying at a set interval. > > > > > > > - Spellcaster downloads the content of the provided application > > URL > > > > and > > > > > > > stores to application cache (overriding any existing loader). > > > > > > > - Spellcaster injects Cordova script tags just after the <head> > > > tag. > > > > > > > - Spellcaster loads the new *loader into the WebView > > > > > > > > > > > > > > *loader is your html to load. > > > > > > > > > > > > > > Are people still in need of such a solution? I could have this > > code > > > > > made > > > > > > > public it just needs a public sanitise check. Spellcaster > > supports > > > > iOS > > > > > > and > > > > > > > Android. > > > > > > > For iOS it requires 1 line of code to be added to > > > > > > > didFinishLaunchingWithOptions. > > > > > > > For Android it requires these overrides in onCreate: > > > > > > > > > > > > > > @Override > > > > > > > public void onCreate(Bundle savedInstanceState) { > > > > > > > super.onCreate(savedInstanceState); > > > > > > > super.init(); > > > > > > > > > > > > > > @Override > > > > > > > public void init() { > > > > > > > Spellcaster spellcaster = new Spellcaster(); > > > > > > > spellcaster.init(this, Config.getStartUrl(), appView); > > > > > > > ... > > > > > > > > > > > > > > @Override > > > > > > > public void init(org.apache.cordova.CordovaWebView webView, > > > > > > > org.apache.cordova.CordovaWebViewClient > > webViewClient, > > > > > > > org.apache.cordova.CordovaChromeClient > > > webChromeClient) > > > > { > > > > > > > super.init(webView, webViewClient, webChromeClient); > > > > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster(); > > > > > > > spellcaster.init(this, Config.getStartUrl(), webView); > > > > > > > ... > > > > > > > > > > > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage < > > > > [email protected] > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > It is great design for development, and netflix. > > > > > > > > > > > > > > > > Sent from my iPhone > > > > > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner < > > [email protected] > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > It's technically possible, and even (arguably) legal > > according > > > to > > > > > > > Apple's > > > > > > > > > documentation, depending on the nature of the code and how > > it's > > > > > > > > implemented: > > > > > > > > > > > > > > > > > > 3.3.2 An Application may not download or install executable > > > code. > > > > > > > > > Interpreted code may only be used in an Application if all > > > > scripts, > > > > > > > code > > > > > > > > > and interpreters are packaged in the Application and not > > > > > downloaded. > > > > > > > The > > > > > > > > > only exception to the foregoing is scripts and code > > downloaded > > > > and > > > > > > run > > > > > > > by > > > > > > > > > Apple's built-in WebKit framework, provided that such > scripts > > > and > > > > > > code > > > > > > > do > > > > > > > > > not change the primary purpose of the Application by > > providing > > > > > > features > > > > > > > > or > > > > > > > > > functionality that are inconsistent with the intended and > > > > > advertised > > > > > > > > > purpose of the Application as submitted to the App Store. > > > > > > > > > > > > > > > > > > However, I would only do so if the code is coming from a > > server > > > > > that > > > > > > > you > > > > > > > > > control, and if you are able to control what code is > getting > > > > > > executed. > > > > > > > > > Loading in 3rd party, unverified scripts into your Cordova > > view > > > > is > > > > > a > > > > > > > big > > > > > > > > > "no-no" for security reasons, and could get your app > delisted > > > (or > > > > > > > > rejected). > > > > > > > > > > > > > > > > > > If anyone else has more information on the topic, I'd be > > > > interested > > > > > > in > > > > > > > > > hearing it. > > > > > > > > > > > > > > > > > > Marc > > > > > > > > > > > > > > > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa < > > > > > [email protected] > > > > > > > > > > > > > > > wrote: > > > > > > > > >> > > > > > > > > >> Hi Frederico. > > > > > > > > >> > > > > > > > > >> While what you are saying about the policies stores is > true, > > > > this > > > > > > > > applies > > > > > > > > >> to public stores only (as far as I can tell). For > on-premise > > > app > > > > > > > stores > > > > > > > > >> this might be false because each store owner need to set > and > > > > apply > > > > > > the > > > > > > > > >> governance for the apps. It could end on horrible results > > due > > > > to a > > > > > > bad > > > > > > > > >> implementation. > > > > > > > > >> > > > > > > > > >> I concur with everyone, it is possible but awful design > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" < > > > > > > > > >> [email protected]> > > > > > > > > >> wrote: > > > > > > > > >> > > > > > > > > >>> I don't have the details in hand at the moment, but I > > > remember > > > > > > seeing > > > > > > > > in > > > > > > > > >>> more than one application store last year policies being > > > > changed > > > > > to > > > > > > > > >>> disallow remote code to run in an application on-demand. > > Such > > > > > rules > > > > > > > > >> *could* > > > > > > > > >>> as well be applied to Cordova apps that load remote > content > > > > > > > considered > > > > > > > > as > > > > > > > > >>> code (HTML isn't, but JS is). It's not only a security > > > concern > > > > > per > > > > > > > se, > > > > > > > > >> but > > > > > > > > >>> also an imposed limitation on the stores (which were > > > obviously > > > > > > > created > > > > > > > > >> for > > > > > > > > >>> security concerns in the first place). > > > > > > > > >>> > > > > > > > > >>> Not even mentioning the issues with providing the right > > > > > cordova.js > > > > > > > > >> version > > > > > > > > >>> from the remote server not really knowing where the > request > > > > came > > > > > > > from. > > > > > > > > >>> However, it's good to note too that aside Phonegap > > Developer > > > > App, > > > > > > > there > > > > > > > > >> is > > > > > > > > >>> also Adobe Hydration that does the exact same thing as a > > side > > > > > > service > > > > > > > > to > > > > > > > > >>> Phonegap Build. I don't know if they've come into any of > > the > > > > > issues > > > > > > > > >>> mentioned, and I haven't even heard of it being used in > > > > > production. > > > > > > > > >>> > > > > > > > > >>> > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage < > > > > > [email protected] > > > > > > >: > > > > > > > > >>> > > > > > > > > >>>> I agree with all your statements Marcel. I use this > > approach > > > > > > > > frequently > > > > > > > > >>> in > > > > > > > > >>>> dev for fast turnaround. > > > > > > > > >>>> Ultimately App Store policies decide what can and cannot > > be > > > > > done. > > > > > > > > >>>> > > > > > > > > >>>> Regarding security, there is nothing I can do with a > > remote > > > > page > > > > > > > that > > > > > > > > I > > > > > > > > >>>> can't already do inside my app. It's an issue of trust. > > > > > > > > >>>> > > > > > > > > >>>> > > > > > > > > >>>> Sent from my iPhone > > > > > > > > >>>> > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron < > [email protected]> > > > > > wrote: > > > > > > > > >>>>> > > > > > > > > >>>>> I agree that it is not recommended, but it's possible. > I > > > > delved > > > > > > > into > > > > > > > > >>>>> this question here: > > > > > > > > >>>>> > https://github.com/shazron/phonegap-questions/issues/37 > > > > > > > > >>>>> > > > > > > > > >>>>> The PhoneGap Developer App is an example of how this is > > > > working > > > > > > at > > > > > > > > >>>>> http://app.phonegap.com but they do some proxying to > get > > > > > around > > > > > > > the > > > > > > > > >>>>> CORS limitations I believe. > > > > > > > > >>>>> > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard < > > > > > > > [email protected]> > > > > > > > > >>>> wrote: > > > > > > > > >>>>>> I've been getting occasional questions about users > > trying > > > to > > > > > use > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in > > the > > > > > > webview, > > > > > > > > >> not > > > > > > > > >>>> InAppBrowser), and still expecting to have access to the > > > > plugin > > > > > > APIs > > > > > > > > >>>> (camera is a popular one). My response so far is: "This > is > > > an > > > > > > > > >> unsupported > > > > > > > > >>>> configuration, because Cordova was not designed for this > > and > > > > the > > > > > > > > >>> community > > > > > > > > >>>> does no testing of this configuration. While it can work > > in > > > > some > > > > > > > > >>>> circumstances, it is not recommended nor supported." > > > > > > > > >>>>>> > > > > > > > > >>>>>> My definition of "unsupported" is not that it is > > > incapable, > > > > > but > > > > > > > that > > > > > > > > >>> we > > > > > > > > >>>> don't claim that it is supposed to work, and more > > > importantly, > > > > > we > > > > > > > > won't > > > > > > > > >>>> actively fix user-submitted defects on this topic. > > > > > > > > >>>>>> > > > > > > > > >>>>>> The main concern I have on this is same origin policy, > > and > > > > > > > matching > > > > > > > > >>> the > > > > > > > > >>>> remotely-served cordova.js with the locally-installed > > native > > > > > > Cordova > > > > > > > > >>>> platform to avoid version mismatch. > > > > > > > > >>>>>> > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you > > > agree? > > > > > > > > >>>>>> > > > > > > > > >>>>>> If you agree, what would you think of a blurb in > > > > cordova-docs > > > > > > > > >>> somewhere > > > > > > > > >>>> that captures this gist? > > > > > > > > >>>>>> > > > > > > > > >>>>>> Thanks for your feedback! > > > > > > > > >>> > > > > > > > > >>> > > > > > > > > >>> > > > > > > > > >>> -- > > > > > > > > >>> > > > > > > > > >>> *Frederico Galvão* > > > > > > > > >>> > > > > > > > > >>> Diretor de Tecnologia > > > > > > > > >>> > > > > > > > > >>> PontoGet Inovação Web > > > > > > > > >>> > > > > > > > > >>> > > > > > > > > >>> ( +55(62) 8131-5720 > > > > > > > > >>> > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/> > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. < > http://www.wizcorp.jp/> > > > > > > > ------------------------------ > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | > Website > > > > > > > <http://www.wizcorp.jp/> | Twitter < > https://twitter.com/Wizcorp> > > | > > > > > > > Facebook > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn > > > > > > > <http://www.linkedin.com/company/wizcorp> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Carlos Santana > > > <[email protected]> > > > > > > > > > > > -- > > <http://www.wizcorp.jp/>Ally Ogilvie > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/> > > ------------------------------ > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> | > > Facebook > > <http://www.facebook.com/Wizcorp> | LinkedIn > > <http://www.linkedin.com/company/wizcorp> > > > -- Carlos Santana <[email protected]>
