cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Lantz <cla...@microsoft.com>
Subject RE: Windows build issue due to http whitelisting rules
Date Tue, 26 Aug 2014 15:13:36 GMT
Yeah this is a platform restriction exclusively related to the security model related to referencing
JavaScript code that is not inside the app package. There are no restrictions on XHR style
calls or general content. At the moment you need to include that content in a webview control
(custom x-ms-webview element) or iframe. (The equivalent of "sandboxed" content on other platforms.)


Here's the scoop on security current state: http://msdn.microsoft.com/en-us/library/windows/apps/hh849625.aspx

Lots of conversations going on about go-forward plan on this topic. A JavaScript Dynamic Content
shim polyfill was recently released to help improve compatibility that is blessed by Windows:
https://github.com/MsopenTech/winstore-jscompat


-Chuck

-----Original Message-----
From: iclelland@google.com [mailto:iclelland@google.com] On Behalf Of Ian Clelland
Sent: Tuesday, August 26, 2014 6:05 AM
To: dev@cordova.apache.org
Subject: Re: Windows build issue due to http whitelisting rules

Wow -- it seems very heavy-handed to force that on app developers (how do you build a web
browsing app in that case?)

Does that apply to all network requests, or just the pages that can be loaded into the main
application window?

Your solution seems like a good one, though; just filter the unusable rules between the app-level
configuration and the platform config, and warn the developer that it's happening. (At least
I *think* that's what it's doing
;) )



On Tue, Aug 26, 2014 at 5:19 AM, Sergey Grebnov (Akvelon) < v-segreb@microsoft.com>
wrote:

> Windows 8.1 and Phone 8.1 requires https for access rules[1], http is 
> not supported anymore. I've sent PR below [2] to prevent build failure 
> and trace warning message for this case. One of real cases where it is 
> required is mobile spec app which cannot' be built since it defines 
> the following rules.
>
>     <access origin="http://audio.ibeat.org" />
>     <access origin="http://cordova-filetransfer.jitsu.com" />
>     <access origin="http://whatheaders.com" />
>     <access origin="http://*.apache.org" />
>     <access origin="https://*.apache.org" />
>     <access origin="http://www.google.com" />
>     <access origin="http://techslides.com" />
>     <access origin="httpssss://example.com" />
>
> [1]
> http://msdn.microsoft.com/en-us/library/windows/desktop/dn457654(v=vs.
> 85).aspx [2] https://github.com/apache/cordova-windows/pull/41
>
> Thx!
> Sergey
>
Mime
View raw message