cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Kim <timki...@gmail.com>
Subject Re: remotely loaded pages
Date Thu, 21 Aug 2014 18:35:49 GMT
>
> I wonder how it solves the problems of serving the
> correct version of cordova.js and cordova_plugin.js depending on the
> version of the native code that is installed on the different versions of
> the mobile App in production.


When you connect to the IP that's being served by connect-phonegap, the
client will send its device.version and device.platform to the server. On
the server's side, there's a res folder within connect-phonegap with all
the various version and platforms of the cordova.js, cordova_plugins.js and
plugins/.


On 21 August 2014 11:20, Carlos Santana <csantana23@gmail.com> wrote:

> Sorry Brian, I thought it was a development time tool to allow for fast
> development cycle associated with PhoneGap Developer App.
>
> I guess they can use it and run the connect-phonegap in a production
> node-js backend system, I wonder how it solves the problems of serving the
> correct version of cordova.js and cordova_plugin.js depending on the
> version of the native code that is installed on the different versions of
> the mobile App in production.
>
>
>
>
> On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b@brian.io> wrote:
>
> > totally, though connect-phonegap *could* be considered production worthy
> > (it is being used significantly by the pg downstream community)
> >
> >
> > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <csantana23@gmail.com>
> > wrote:
> >
> > > Brain I think that's OK at development time everything is fair game :-)
> > >
> > > The problem is developers doing stupid things like loading a cordova.js
> > > from a place they don't know for a in production app being used by end
> > > users, that's just kamikaze
> > >
> > > That's OK if they want to shoot themselves in the foot, but then don't
> > come
> > > crying to JIRA claiming that is a problem with Cordova project.
> > >
> > >
> > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b@brian.io> wrote:
> > >
> > > > phonegap-connect serves up remote cordova.js (negotiates the
> requestor
> > to
> > > > send the right file)
> > > >
> > > > no deaths yet!
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <aogilvie@wizcorp.jp>
> > > wrote:
> > > >
> > > > > That's a good difference to point out.
> > > > >
> > > > > >My personal position is that scenarios where developer is in
> control
> > > and
> > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a
> valid
> > > > > >scenario for Cordova
> > > > >
> > > > > I agree, because as cordova.js and cordovaLib are version linked,
> it
> > > > makes
> > > > > sense that once an index.html is pulled in, it's cordova.js to load
> > is
> > > > > already in the client application.
> > > > > Loading an external cordova.js would be suicidal. So we save the
> file
> > > > > locally to write into it's <HEAD> our known path to codova.js
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > csantana23@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I want to make clarification there is a notable difference
> between
> > > > > loading
> > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs.
a
> > > > downloaded
> > > > > > webapp to be loaded from a *local* HTML.
> > > > > >
> > > > > > IBM Worklight has a feature "Direct update"
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > > > >
> > > > > > The scenario is a download and local load of html/cordova.
> Similar
> > > > > scenario
> > > > > > as spellcaster and appmobi
> > > > > > For this scenario there is control from app developer of the
code
> > > being
> > > > > > loaded.
> > > > > >
> > > > > > What Marcel is asking is a *non-local* load of arbitrary
> html/code
> > > not
> > > > > > control by developer, developer loading a free html page own
> > someone
> > > > else
> > > > > > and doing kind of a "document.location.replace('
> > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > >
> > > > > > My personal position is that scenarios where developer is in
> > control
> > > > and
> > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is
a
> valid
> > > > > > scenario for Cordova. loading a random cordova.js directly from
a
> > > > > non-local
> > > > > > random place not guarantee to be supported.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b@brian.io>
> wrote:
> > > > > >
> > > > > > > Very much so. So much so, I think we should even consider
such
> > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > agrieve@chromium.org
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I think this is a very desired plugin that many end
up
> > > re-writing,
> > > > > and
> > > > > > > it's
> > > > > > > > far better than setting the content src directly to
a remote
> > URL.
> > > > > > > >
> > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > mmocny@chromium.org
> > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Make it available Ally, of course that sounds
interesting!
> > > > > > > > >
> > > > > > > > > I'm sure a few of us have suggestions for improvements
too.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie
<
> > > > aogilvie@wizcorp.jp
> > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > >
> > > > > > > > > > For some games that I produce where the
entire game is
> > served
> > > > to
> > > > > > the
> > > > > > > > > client
> > > > > > > > > > (requires no .html in the application) we
have a tool
> > called
> > > > > > > > > "spellcaster".
> > > > > > > > > > Spellcaster handles internet connectivity,
localisation
> and
> > > > > Cordova
> > > > > > > > code
> > > > > > > > > > injection. It works as follows:
> > > > > > > > > >
> > > > > > > > > > One simply adds an application URL to Cordova's
> config.xml
> > in
> > > > > > > <content
> > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > >
> > > > > > > > > > - Spellcaster will check for an active internet
> connection.
> > > If
> > > > > one
> > > > > > is
> > > > > > > > not
> > > > > > > > > > found Spellcaster will continue retrying
at a set
> interval.
> > > > > > > > > > - Spellcaster downloads the content of the
provided
> > > application
> > > > > URL
> > > > > > > and
> > > > > > > > > > stores to application cache (overriding
any existing
> > loader).
> > > > > > > > > > - Spellcaster injects Cordova script tags
just after the
> > > <head>
> > > > > > tag.
> > > > > > > > > > - Spellcaster loads the new *loader into
the WebView
> > > > > > > > > >
> > > > > > > > > > *loader is your html to load.
> > > > > > > > > >
> > > > > > > > > > Are people still in need of such a solution?
I could have
> > > this
> > > > > code
> > > > > > > > made
> > > > > > > > > > public it just needs a public sanitise check.
Spellcaster
> > > > > supports
> > > > > > > iOS
> > > > > > > > > and
> > > > > > > > > > Android.
> > > > > > > > > > For iOS it requires 1 line of code to be
added to
> > > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > > For Android it requires these overrides
in onCreate:
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void onCreate(Bundle savedInstanceState)
{
> > > > > > > > > >     super.onCreate(savedInstanceState);
> > > > > > > > > >     super.init();
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void init() {
> > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
appView);
> > > > > > > > > > ...
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void init(org.apache.cordova.CordovaWebView
> webView,
> > > > > > > > > >              org.apache.cordova.CordovaWebViewClient
> > > > > webViewClient,
> > > > > > > > > >              org.apache.cordova.CordovaChromeClient
> > > > > > webChromeClient)
> > > > > > > {
> > > > > > > > > >     super.init(webView, webViewClient, webChromeClient);
> > > > > > > > > >
> > > > > > > > > >     Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > >     spellcaster.init(this, Config.getStartUrl(),
> webView);
> > > > > > > > > > ...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage
<
> > > > > > > purplecabbage@gmail.com
> > > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > It is great design for development,
and netflix.
> > > > > > > > > > >
> > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > >
> > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc
Weiner <
> > > > > mhweiner234@gmail.com
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > It's technically possible, and
even (arguably) legal
> > > > > according
> > > > > > to
> > > > > > > > > > Apple's
> > > > > > > > > > > > documentation, depending on the
nature of the code
> and
> > > how
> > > > > it's
> > > > > > > > > > > implemented:
> > > > > > > > > > > >
> > > > > > > > > > > > 3.3.2 An Application may not download
or install
> > > executable
> > > > > > code.
> > > > > > > > > > > > Interpreted code may only be used
in an Application
> if
> > > all
> > > > > > > scripts,
> > > > > > > > > > code
> > > > > > > > > > > > and interpreters are packaged
in the Application and
> > not
> > > > > > > > downloaded.
> > > > > > > > > > The
> > > > > > > > > > > > only exception to the foregoing
is scripts and code
> > > > > downloaded
> > > > > > > and
> > > > > > > > > run
> > > > > > > > > > by
> > > > > > > > > > > > Apple's built-in WebKit framework,
provided that such
> > > > scripts
> > > > > > and
> > > > > > > > > code
> > > > > > > > > > do
> > > > > > > > > > > > not change the primary purpose
of the Application by
> > > > > providing
> > > > > > > > > features
> > > > > > > > > > > or
> > > > > > > > > > > > functionality that are inconsistent
with the intended
> > and
> > > > > > > > advertised
> > > > > > > > > > > > purpose of the Application as
submitted to the App
> > Store.
> > > > > > > > > > > >
> > > > > > > > > > > > However, I would only do so if
the code is coming
> from
> > a
> > > > > server
> > > > > > > > that
> > > > > > > > > > you
> > > > > > > > > > > > control, and if you are able to
control what code is
> > > > getting
> > > > > > > > > executed.
> > > > > > > > > > > > Loading in 3rd party, unverified
scripts into your
> > > Cordova
> > > > > view
> > > > > > > is
> > > > > > > > a
> > > > > > > > > > big
> > > > > > > > > > > > "no-no" for security reasons,
and could get your app
> > > > delisted
> > > > > > (or
> > > > > > > > > > > rejected).
> > > > > > > > > > > >
> > > > > > > > > > > > If anyone else has more information
on the topic, I'd
> > be
> > > > > > > interested
> > > > > > > > > in
> > > > > > > > > > > > hearing it.
> > > > > > > > > > > >
> > > > > > > > > > > > Marc
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01
PM, Victor Sosa <
> > > > > > > > sosah.victor@gmail.com
> > > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > >>
> > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > >>
> > > > > > > > > > > >> While what you are saying
about the policies stores
> is
> > > > true,
> > > > > > > this
> > > > > > > > > > > applies
> > > > > > > > > > > >> to public stores only (as
far as I can tell). For
> > > > on-premise
> > > > > > app
> > > > > > > > > > stores
> > > > > > > > > > > >> this might be false because
each store owner need to
> > set
> > > > and
> > > > > > > apply
> > > > > > > > > the
> > > > > > > > > > > >> governance for the apps. It
could end on horrible
> > > results
> > > > > due
> > > > > > > to a
> > > > > > > > > bad
> > > > > > > > > > > >> implementation.
> > > > > > > > > > > >>
> > > > > > > > > > > >> I concur with everyone, it
is possible but awful
> > design
> > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico
Galvão" <
> > > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > > >> wrote:
> > > > > > > > > > > >>
> > > > > > > > > > > >>> I don't have the details
in hand at the moment,
> but I
> > > > > > remember
> > > > > > > > > seeing
> > > > > > > > > > > in
> > > > > > > > > > > >>> more than one application
store last year policies
> > > being
> > > > > > > changed
> > > > > > > > to
> > > > > > > > > > > >>> disallow remote code to
run in an application
> > > on-demand.
> > > > > Such
> > > > > > > > rules
> > > > > > > > > > > >> *could*
> > > > > > > > > > > >>> as well be applied to
Cordova apps that load remote
> > > > content
> > > > > > > > > > considered
> > > > > > > > > > > as
> > > > > > > > > > > >>> code (HTML isn't, but
JS is). It's not only a
> > security
> > > > > > concern
> > > > > > > > per
> > > > > > > > > > se,
> > > > > > > > > > > >> but
> > > > > > > > > > > >>> also an imposed limitation
on the stores (which
> were
> > > > > > obviously
> > > > > > > > > > created
> > > > > > > > > > > >> for
> > > > > > > > > > > >>> security concerns in the
first place).
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> Not even mentioning the
issues with providing the
> > right
> > > > > > > > cordova.js
> > > > > > > > > > > >> version
> > > > > > > > > > > >>> from the remote server
not really knowing where the
> > > > request
> > > > > > > came
> > > > > > > > > > from.
> > > > > > > > > > > >>> However, it's good to
note too that aside Phonegap
> > > > > Developer
> > > > > > > App,
> > > > > > > > > > there
> > > > > > > > > > > >> is
> > > > > > > > > > > >>> also Adobe Hydration that
does the exact same thing
> > as
> > > a
> > > > > side
> > > > > > > > > service
> > > > > > > > > > > to
> > > > > > > > > > > >>> Phonegap Build. I don't
know if they've come into
> any
> > > of
> > > > > the
> > > > > > > > issues
> > > > > > > > > > > >>> mentioned, and I haven't
even heard of it being
> used
> > in
> > > > > > > > production.
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00
purplecabbage <
> > > > > > > > purplecabbage@gmail.com
> > > > > > > > > >:
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>> I agree with all your
statements Marcel. I use
> this
> > > > > approach
> > > > > > > > > > > frequently
> > > > > > > > > > > >>> in
> > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > >>>> Ultimately App Store
policies decide what can and
> > > cannot
> > > > > be
> > > > > > > > done.
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>> Regarding security,
there is nothing I can do
> with a
> > > > > remote
> > > > > > > page
> > > > > > > > > > that
> > > > > > > > > > > I
> > > > > > > > > > > >>>> can't already do inside
my app. It's an issue of
> > > trust.
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>>> On Aug 1, 2014,
at 10:35 AM, Shazron <
> > > > shazron@gmail.com>
> > > > > > > > wrote:
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>> I agree that it
is not recommended, but it's
> > > possible.
> > > > I
> > > > > > > delved
> > > > > > > > > > into
> > > > > > > > > > > >>>>> this question
here:
> > > > > > > > > > > >>>>>
> > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>> The PhoneGap Developer
App is an example of how
> > this
> > > is
> > > > > > > working
> > > > > > > > > at
> > > > > > > > > > > >>>>> http://app.phonegap.com
but they do some
> proxying
> > to
> > > > get
> > > > > > > > around
> > > > > > > > > > the
> > > > > > > > > > > >>>>> CORS limitations
I believe.
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>>> On Fri, Aug
1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > >>>>>> I've been
getting occasional questions about
> users
> > > > > trying
> > > > > > to
> > > > > > > > use
> > > > > > > > > > > >>>> remotely-loaded (non-local)
HTML pages with
> Cordova
> > > (in
> > > > > the
> > > > > > > > > webview,
> > > > > > > > > > > >> not
> > > > > > > > > > > >>>> InAppBrowser), and
still expecting to have access
> to
> > > the
> > > > > > > plugin
> > > > > > > > > APIs
> > > > > > > > > > > >>>> (camera is a popular
one). My response so far is:
> > > "This
> > > > is
> > > > > > an
> > > > > > > > > > > >> unsupported
> > > > > > > > > > > >>>> configuration, because
Cordova was not designed
> for
> > > this
> > > > > and
> > > > > > > the
> > > > > > > > > > > >>> community
> > > > > > > > > > > >>>> does no testing of
this configuration. While it
> can
> > > work
> > > > > in
> > > > > > > some
> > > > > > > > > > > >>>> circumstances, it
is not recommended nor
> supported."
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> My definition
of "unsupported" is not that it is
> > > > > > incapable,
> > > > > > > > but
> > > > > > > > > > that
> > > > > > > > > > > >>> we
> > > > > > > > > > > >>>> don't claim that it
is supposed to work, and more
> > > > > > importantly,
> > > > > > > > we
> > > > > > > > > > > won't
> > > > > > > > > > > >>>> actively fix user-submitted
defects on this topic.
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> The main concern
I have on this is same origin
> > > policy,
> > > > > and
> > > > > > > > > > matching
> > > > > > > > > > > >>> the
> > > > > > > > > > > >>>> remotely-served cordova.js
with the
> > locally-installed
> > > > > native
> > > > > > > > > Cordova
> > > > > > > > > > > >>>> platform to avoid
version mismatch.
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> Do you think
I'm out in-the-weeds on this, or do
> > you
> > > > > > agree?
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> If you agree,
what would you think of a blurb in
> > > > > > > cordova-docs
> > > > > > > > > > > >>> somewhere
> > > > > > > > > > > >>>> that captures this
gist?
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> Thanks for
your feedback!
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> --
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> * www.pontoget.com.br
<http://www.pontoget.com/>
> > > > > > > > > > > >>
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > > > Lead Developer - MobDev. | Wizcorp Inc.
<
> > > > http://www.wizcorp.jp/>
> > > > > > > > > > ------------------------------
> > > > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81
(0)3-4550-1448 |
> > > > Website
> > > > > > > > > > <http://www.wizcorp.jp/> | Twitter
<
> > > > https://twitter.com/Wizcorp>
> > > > > |
> > > > > > > > > > Facebook
> > > > > > > > > > <http://www.facebook.com/Wizcorp>
| LinkedIn
> > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Carlos Santana
> > > > > > <csantana23@gmail.com>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > ------------------------------
> > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp>
|
> > > > > Facebook
> > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > <http://www.linkedin.com/company/wizcorp>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <csantana23@gmail.com>
> > >
> >
>
>
>
> --
> Carlos Santana
> <csantana23@gmail.com>
>



-- 
Timothy Kim

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message