I would vote for defaulting to WebViewAssetLoader but still allow using file:// from a config.xml preference for the people that are not ready to move on. But on cordova-ios 6 I think we ended up defaulting to file:// and use the schemes only as opt-in.
About migrating data, I don't think that's our job, but we can point users to plugins if you know some. El mar, 27 abr 2021 a las 8:03, Niklas Apache (<niklasm...@apache.org>) escribió: > Hey folks, > > we recently merged a PR [1] which significantly changes how cordova- > android loads web content in the webview and now need to decide how to > move proceed. > > Google introduced the WebViewAssetLoader to make it possible to use web > content from a standard http(s) scheme instead of file:. This was done > to remove security risks [2] and some apps with routing frameworks like > React and Angular need this for proper routing. > > Because cordova-android 10 now uses AndroidX we could implement the > WebViewAssetLoader and remove some deprecated or security related > WebSettings and move the platform forward to current Android standards. > > This change may break some apps now because the origin changes if the > app now runs on https://localhost for example instead of file://. > Changing the origin means losing access to web storage like > localstorage, indexedb etc. First and foremost we need to announce that > change with the release for developers to act but additionally we could > do: > > 1.) Default back to file:// and make the WebViewAssetLoader opt-in via > config.xml. This exposes apps to the security risk: > > > Note: Apps should not open file:// URLs from any external source in > WebView, don't enable this if your app accepts arbitrary URLs from > external sources. It's recommended to always use > androidx.webkit.WebViewAssetLoader > < > https://developer.android.com/reference/androidx/webkit/WebViewAssetLoader > > > to access files including assets and resources over http(s):// schemes, > instead of file:// URLs. To prevent possible security issues targeting > Build.VERSION_CODES.Q > <https://developer.android.com/reference/android/os/Build.VERSION_CODES#Q> > and earlier, you should explicitly set this value to false. > > 2.) Add a migration for localstorage etc. to the platform to provide a > smoother transition > > 3.) Use the WebViewAssetLoader only and don't migrate in the platform > but point users to a plugin that helps them to manage their migration > > Personally I would favor to move to WebViewAssetLoader by default in > this breaking release to get apps up to date and adapt to Androids > changes. I don't know how many apps would be affected because I suspect > many apps are using native storage solutions (SQLite etc.) or are > running Ionics WebView with the https scheme already. I am doing both > for my apps because of the many localstorage and non https scheme issues > we had in the past and I suspect many did as well. > > Cordova Android 10 needs to be released rather sooner than later so > please leave your feedback. > > Thank you very much and kind regards > Niklas > > [1] https://github.com/apache/cordova-android/pull/1137 > [2] > > https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean) >
