breautek commented on pull request #322: URL: https://github.com/apache/cordova-plugin-file/pull/322#issuecomment-747702075
> The former. > This is for a use-case of the cordova WebView loading a remote https site, but some of the resources are loaded from local files using cdvfile. We can't really support this kind of configuration. It's against the iOS terms to load in local resources from a remote site. Doing so is a security risk because one could load in the `cordova.js` file and thus have access to native APIs. For iOS this breaks Apple's terms, section 4.7 which reads: > Apps may contain or run code that is not embedded in the binary (e.g. HTML5-based games, bots, etc.), as long as code distribution isn’t the main purpose of the app, the code is not offered in a store or store-like interface, and provided that the software (1) is free or purchased using in-app purchase; (2) **only uses capabilities available in a standard WebKit** view (e.g. it must open and run natively in Safari **without modifications or additional software**); your app must use WebKit and JavaScript Core to run third-party software and **should not attempt to extend or expose native platform APIs to third-party software**; ... https://developer.apple.com/app-store/review/guidelines/#third-party-software Google has similar text, however not well explained: > An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and **has limited access to Android APIs** (such as JavaScript in a webview or browser). https://support.google.com/googleplay/android-developer/answer/9888379?hl=en&ref_topic=9877467 Do note that the Cordova webview is a webview that explicitly provides the means to access native Android APIs, therefore the mentioned restriction regarding JS in the webview does not apply to Cordova. For these reasons we cannot accept a PR that allows local access to files from remotely loaded sources. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
