cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ally Ogilvie <aogil...@wizcorp.jp>
Subject Re: remotely loaded pages
Date Thu, 21 Aug 2014 03:57:58 GMT
That's a good difference to point out.

>My personal position is that scenarios where developer is in control and
>loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
>scenario for Cordova

I agree, because as cordova.js and cordovaLib are version linked, it makes
sense that once an index.html is pulled in, it's cordova.js to load is
already in the client application.
Loading an external cordova.js would be suicidal. So we save the file
locally to write into it's <HEAD> our known path to codova.js







On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <csantana23@gmail.com>
wrote:

> I want to make clarification there is a notable difference between loading
> a remotely-loaded *(non-local) *HTML pages with Cordova vs. a downloaded
> webapp to be loaded from a *local* HTML.
>
> IBM Worklight has a feature "Direct update"
>
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
>
> The scenario is a download and local load of html/cordova. Similar scenario
> as spellcaster and appmobi
> For this scenario there is control from app developer of the code being
> loaded.
>
> What Marcel is asking is a *non-local* load of arbitrary html/code not
> control by developer, developer loading a free html page own someone else
> and doing kind of a "document.location.replace('
> http://somerandom.com/thisotherguy.html')"
>
> My personal position is that scenarios where developer is in control and
> loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> scenario for Cordova. loading a random cordova.js directly from a non-local
> random place not guarantee to be supported.
>
>
>
>
> On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b@brian.io> wrote:
>
> > Very much so. So much so, I think we should even consider such
> > functionality as 'core'. Could dovetail w/ Serviceworker.
> >
> >
> > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <agrieve@chromium.org>
> > wrote:
> >
> > > I think this is a very desired plugin that many end up re-writing, and
> > it's
> > > far better than setting the content src directly to a remote URL.
> > >
> > > E.g. just stumbled across this yesterday:
> > > http://docs.appmobi.com/index.php/live-update/
> > >
> > >
> > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mmocny@chromium.org>
> > wrote:
> > >
> > > > Make it available Ally, of course that sounds interesting!
> > > >
> > > > I'm sure a few of us have suggestions for improvements too.
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <aogilvie@wizcorp.jp>
> > > wrote:
> > > >
> > > > > Marcel, Sorry for the late reply.
> > > > >
> > > > > For some games that I produce where the entire game is served to
> the
> > > > client
> > > > > (requires no .html in the application) we have a tool called
> > > > "spellcaster".
> > > > > Spellcaster handles internet connectivity, localisation and Cordova
> > > code
> > > > > injection. It works as follows:
> > > > >
> > > > > One simply adds an application URL to Cordova's config.xml in
> > <content
> > > > > src=YOUR_URL_HERE>
> > > > >
> > > > > - Spellcaster will check for an active internet connection. If one
> is
> > > not
> > > > > found Spellcaster will continue retrying at a set interval.
> > > > > - Spellcaster downloads the content of the provided application URL
> > and
> > > > > stores to application cache (overriding any existing loader).
> > > > > - Spellcaster injects Cordova script tags just after the <head>
> tag.
> > > > > - Spellcaster loads the new *loader into the WebView
> > > > >
> > > > > *loader is your html to load.
> > > > >
> > > > > Are people still in need of such a solution? I could have this code
> > > made
> > > > > public it just needs a public sanitise check. Spellcaster supports
> > iOS
> > > > and
> > > > > Android.
> > > > > For iOS it requires 1 line of code to be added to
> > > > > didFinishLaunchingWithOptions.
> > > > > For Android it requires these overrides in onCreate:
> > > > >
> > > > > @Override
> > > > > public void onCreate(Bundle savedInstanceState) {
> > > > >     super.onCreate(savedInstanceState);
> > > > >     super.init();
> > > > >
> > > > > @Override
> > > > > public void init() {
> > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > ...
> > > > >
> > > > > @Override
> > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > >              org.apache.cordova.CordovaWebViewClient webViewClient,
> > > > >              org.apache.cordova.CordovaChromeClient
> webChromeClient)
> > {
> > > > >     super.init(webView, webViewClient, webChromeClient);
> > > > >
> > > > >     Spellcaster spellcaster = new Spellcaster();
> > > > >     spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > ...
> > > > >
> > > > >
> > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > purplecabbage@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > It is great design for development, and netflix.
> > > > > >
> > > > > > Sent from my iPhone
> > > > > >
> > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mhweiner234@gmail.com
> >
> > > > wrote:
> > > > > > >
> > > > > > > It's technically possible, and even (arguably) legal according
> to
> > > > > Apple's
> > > > > > > documentation, depending on the nature of the code and
how it's
> > > > > > implemented:
> > > > > > >
> > > > > > > 3.3.2 An Application may not download or install executable
> code.
> > > > > > > Interpreted code may only be used in an Application if
all
> > scripts,
> > > > > code
> > > > > > > and interpreters are packaged in the Application and not
> > > downloaded.
> > > > > The
> > > > > > > only exception to the foregoing is scripts and code downloaded
> > and
> > > > run
> > > > > by
> > > > > > > Apple's built-in WebKit framework, provided that such scripts
> and
> > > > code
> > > > > do
> > > > > > > not change the primary purpose of the Application by providing
> > > > features
> > > > > > or
> > > > > > > functionality that are inconsistent with the intended and
> > > advertised
> > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > >
> > > > > > > However, I would only do so if the code is coming from
a server
> > > that
> > > > > you
> > > > > > > control, and if you are able to control what code is getting
> > > > executed.
> > > > > > > Loading in 3rd party, unverified scripts into your Cordova
view
> > is
> > > a
> > > > > big
> > > > > > > "no-no" for security reasons, and could get your app delisted
> (or
> > > > > > rejected).
> > > > > > >
> > > > > > > If anyone else has more information on the topic, I'd be
> > interested
> > > > in
> > > > > > > hearing it.
> > > > > > >
> > > > > > > Marc
> > > > > > >
> > > > > > >
> > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > sosah.victor@gmail.com
> > > > >
> > > > > > wrote:
> > > > > > >>
> > > > > > >> Hi Frederico.
> > > > > > >>
> > > > > > >> While what you are saying about the policies stores
is true,
> > this
> > > > > > applies
> > > > > > >> to public stores only (as far as I can tell). For on-premise
> app
> > > > > stores
> > > > > > >> this might be false because each store owner need to
set and
> > apply
> > > > the
> > > > > > >> governance for the apps. It could end on horrible results
due
> > to a
> > > > bad
> > > > > > >> implementation.
> > > > > > >>
> > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >>> I don't have the details in hand at the moment,
but I
> remember
> > > > seeing
> > > > > > in
> > > > > > >>> more than one application store last year policies
being
> > changed
> > > to
> > > > > > >>> disallow remote code to run in an application on-demand.
Such
> > > rules
> > > > > > >> *could*
> > > > > > >>> as well be applied to Cordova apps that load remote
content
> > > > > considered
> > > > > > as
> > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> concern
> > > per
> > > > > se,
> > > > > > >> but
> > > > > > >>> also an imposed limitation on the stores (which
were
> obviously
> > > > > created
> > > > > > >> for
> > > > > > >>> security concerns in the first place).
> > > > > > >>>
> > > > > > >>> Not even mentioning the issues with providing the
right
> > > cordova.js
> > > > > > >> version
> > > > > > >>> from the remote server not really knowing where
the request
> > came
> > > > > from.
> > > > > > >>> However, it's good to note too that aside Phonegap
Developer
> > App,
> > > > > there
> > > > > > >> is
> > > > > > >>> also Adobe Hydration that does the exact same thing
as a side
> > > > service
> > > > > > to
> > > > > > >>> Phonegap Build. I don't know if they've come into
any of the
> > > issues
> > > > > > >>> mentioned, and I haven't even heard of it being
used in
> > > production.
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > purplecabbage@gmail.com
> > > > >:
> > > > > > >>>
> > > > > > >>>> I agree with all your statements Marcel. I
use this approach
> > > > > > frequently
> > > > > > >>> in
> > > > > > >>>> dev for fast turnaround.
> > > > > > >>>> Ultimately App Store policies decide what can
and cannot be
> > > done.
> > > > > > >>>>
> > > > > > >>>> Regarding security, there is nothing I can
do with a remote
> > page
> > > > > that
> > > > > > I
> > > > > > >>>> can't already do inside my app. It's an issue
of trust.
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> Sent from my iPhone
> > > > > > >>>>
> > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <shazron@gmail.com>
> > > wrote:
> > > > > > >>>>>
> > > > > > >>>>> I agree that it is not recommended, but
it's possible. I
> > delved
> > > > > into
> > > > > > >>>>> this question here:
> > > > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > >>>>>
> > > > > > >>>>> The PhoneGap Developer App is an example
of how this is
> > working
> > > > at
> > > > > > >>>>> http://app.phonegap.com but they do some
proxying to get
> > > around
> > > > > the
> > > > > > >>>>> CORS limitations I believe.
> > > > > > >>>>>
> > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
Kinard <
> > > > > cmarcelk@gmail.com>
> > > > > > >>>> wrote:
> > > > > > >>>>>> I've been getting occasional questions
about users trying
> to
> > > use
> > > > > > >>>> remotely-loaded (non-local) HTML pages with
Cordova (in the
> > > > webview,
> > > > > > >> not
> > > > > > >>>> InAppBrowser), and still expecting to have
access to the
> > plugin
> > > > APIs
> > > > > > >>>> (camera is a popular one). My response so far
is: "This is
> an
> > > > > > >> unsupported
> > > > > > >>>> configuration, because Cordova was not designed
for this and
> > the
> > > > > > >>> community
> > > > > > >>>> does no testing of this configuration. While
it can work in
> > some
> > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > >>>>>>
> > > > > > >>>>>> My definition of "unsupported" is not
that it is
> incapable,
> > > but
> > > > > that
> > > > > > >>> we
> > > > > > >>>> don't claim that it is supposed to work, and
more
> importantly,
> > > we
> > > > > > won't
> > > > > > >>>> actively fix user-submitted defects on this
topic.
> > > > > > >>>>>>
> > > > > > >>>>>> The main concern I have on this is
same origin policy, and
> > > > > matching
> > > > > > >>> the
> > > > > > >>>> remotely-served cordova.js with the locally-installed
native
> > > > Cordova
> > > > > > >>>> platform to avoid version mismatch.
> > > > > > >>>>>>
> > > > > > >>>>>> Do you think I'm out in-the-weeds on
this, or do you
> agree?
> > > > > > >>>>>>
> > > > > > >>>>>> If you agree, what would you think
of a blurb in
> > cordova-docs
> > > > > > >>> somewhere
> > > > > > >>>> that captures this gist?
> > > > > > >>>>>>
> > > > > > >>>>>> Thanks for your feedback!
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> --
> > > > > > >>>
> > > > > > >>> *Frederico Galvão*
> > > > > > >>>
> > > > > > >>> Diretor de Tecnologia
> > > > > > >>>
> > > > > > >>> PontoGet Inovação Web
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> ( +55(62) 8131-5720
> > > > > > >>>
> > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > ------------------------------
> > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp>
|
> > > > > Facebook
> > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > <http://www.linkedin.com/company/wizcorp>
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Carlos Santana
> <csantana23@gmail.com>
>



-- 
<http://www.wizcorp.jp/>Ally Ogilvie
Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
------------------------------
TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
<http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> | Facebook
<http://www.facebook.com/Wizcorp> | LinkedIn
<http://www.linkedin.com/company/wizcorp>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message