cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederico Galvão <>
Subject Re: remotely loaded pages
Date Fri, 01 Aug 2014 21:34:25 GMT
I don't have the details in hand at the moment, but I remember seeing in
more than one application store last year policies being changed to
disallow remote code to run in an application on-demand. Such rules *could*
as well be applied to Cordova apps that load remote content considered as
code (HTML isn't, but JS is). It's not only a security concern per se, but
also an imposed limitation on the stores (which were obviously created for
security concerns in the first place).

Not even mentioning the issues with providing the right cordova.js version
from the remote server not really knowing where the request came from.
However, it's good to note too that aside Phonegap Developer App, there is
also Adobe Hydration that does the exact same thing as a side service to
Phonegap Build. I don't know if they've come into any of the issues
mentioned, and I haven't even heard of it being used in production.

2014-08-01 17:36 GMT-03:00 purplecabbage <>:

> I agree with all your statements Marcel. I use this approach frequently in
> dev for fast turnaround.
> Ultimately App Store policies decide what can and cannot be done.
> Regarding security, there is nothing I can do with a remote page that I
> can't already do inside my app. It's an issue of trust.
> Sent from my iPhone
> > On Aug 1, 2014, at 10:35 AM, Shazron <> wrote:
> >
> > I agree that it is not recommended, but it's possible. I delved into
> > this question here:
> >
> >
> > The PhoneGap Developer App is an example of how this is working at
> > but they do some proxying to get around the
> > CORS limitations I believe.
> >
> >> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <>
> wrote:
> >> I've been getting occasional questions about users trying to use
> remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
> InAppBrowser), and still expecting to have access to the plugin APIs
> (camera is a popular one). My response so far is: "This is an unsupported
> configuration, because Cordova was not designed for this and the community
> does no testing of this configuration. While it can work in some
> circumstances, it is not recommended nor supported."
> >>
> >> My definition of "unsupported" is not that it is incapable, but that we
> don't claim that it is supposed to work, and more importantly, we won't
> actively fix user-submitted defects on this topic.
> >>
> >> The main concern I have on this is same origin policy, and matching the
> remotely-served cordova.js with the locally-installed native Cordova
> platform to avoid version mismatch.
> >>
> >> Do you think I'm out in-the-weeds on this, or do you agree?
> >>
> >> If you agree, what would you think of a blurb in cordova-docs somewhere
> that captures this gist?
> >>
> >> Thanks for your feedback!


*Frederico Galvão*

Diretor de Tecnologia

PontoGet Inovação Web

( +55(62) 8131-5720

* <>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message