cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Santana <csantan...@gmail.com>
Subject Re: remotely loaded pages
Date Thu, 21 Aug 2014 17:53:20 GMT
Brain I think that's OK at development time everything is fair game :-)

The problem is developers doing stupid things like loading a cordova.js
from a place they don't know for a in production app being used by end
users, that's just kamikaze

That's OK if they want to shoot themselves in the foot, but then don't come
crying to JIRA claiming that is a problem with Cordova project.


On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b@brian.io> wrote:

> phonegap-connect serves up remote cordova.js (negotiates the requestor to
> send the right file)
>
> no deaths yet!
>
>
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
>
>
> On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <aogilvie@wizcorp.jp> wrote:
>
> > That's a good difference to point out.
> >
> > >My personal position is that scenarios where developer is in control and
> > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > >scenario for Cordova
> >
> > I agree, because as cordova.js and cordovaLib are version linked, it
> makes
> > sense that once an index.html is pulled in, it's cordova.js to load is
> > already in the client application.
> > Loading an external cordova.js would be suicidal. So we save the file
> > locally to write into it's <HEAD> our known path to codova.js
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <csantana23@gmail.com>
> > wrote:
> >
> > > I want to make clarification there is a notable difference between
> > loading
> > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> downloaded
> > > webapp to be loaded from a *local* HTML.
> > >
> > > IBM Worklight has a feature "Direct update"
> > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > >
> > > The scenario is a download and local load of html/cordova. Similar
> > scenario
> > > as spellcaster and appmobi
> > > For this scenario there is control from app developer of the code being
> > > loaded.
> > >
> > > What Marcel is asking is a *non-local* load of arbitrary html/code not
> > > control by developer, developer loading a free html page own someone
> else
> > > and doing kind of a "document.location.replace('
> > > http://somerandom.com/thisotherguy.html')"
> > >
> > > My personal position is that scenarios where developer is in control
> and
> > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > scenario for Cordova. loading a random cordova.js directly from a
> > non-local
> > > random place not guarantee to be supported.
> > >
> > >
> > >
> > >
> > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b@brian.io> wrote:
> > >
> > > > Very much so. So much so, I think we should even consider such
> > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <agrieve@chromium.org
> >
> > > > wrote:
> > > >
> > > > > I think this is a very desired plugin that many end up re-writing,
> > and
> > > > it's
> > > > > far better than setting the content src directly to a remote URL.
> > > > >
> > > > > E.g. just stumbled across this yesterday:
> > > > > http://docs.appmobi.com/index.php/live-update/
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mmocny@chromium.org
> >
> > > > wrote:
> > > > >
> > > > > > Make it available Ally, of course that sounds interesting!
> > > > > >
> > > > > > I'm sure a few of us have suggestions for improvements too.
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> aogilvie@wizcorp.jp
> > >
> > > > > wrote:
> > > > > >
> > > > > > > Marcel, Sorry for the late reply.
> > > > > > >
> > > > > > > For some games that I produce where the entire game is
served
> to
> > > the
> > > > > > client
> > > > > > > (requires no .html in the application) we have a tool called
> > > > > > "spellcaster".
> > > > > > > Spellcaster handles internet connectivity, localisation
and
> > Cordova
> > > > > code
> > > > > > > injection. It works as follows:
> > > > > > >
> > > > > > > One simply adds an application URL to Cordova's config.xml
in
> > > > <content
> > > > > > > src=YOUR_URL_HERE>
> > > > > > >
> > > > > > > - Spellcaster will check for an active internet connection.
If
> > one
> > > is
> > > > > not
> > > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > > - Spellcaster downloads the content of the provided application
> > URL
> > > > and
> > > > > > > stores to application cache (overriding any existing loader).
> > > > > > > - Spellcaster injects Cordova script tags just after the
<head>
> > > tag.
> > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > >
> > > > > > > *loader is your html to load.
> > > > > > >
> > > > > > > Are people still in need of such a solution? I could have
this
> > code
> > > > > made
> > > > > > > public it just needs a public sanitise check. Spellcaster
> > supports
> > > > iOS
> > > > > > and
> > > > > > > Android.
> > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > didFinishLaunchingWithOptions.
> > > > > > > For Android it requires these overrides in onCreate:
> > > > > > >
> > > > > > > @Override
> > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > >     super.onCreate(savedInstanceState);
> > > > > > >     super.init();
> > > > > > >
> > > > > > > @Override
> > > > > > > public void init() {
> > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > ...
> > > > > > >
> > > > > > > @Override
> > > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > > >              org.apache.cordova.CordovaWebViewClient
> > webViewClient,
> > > > > > >              org.apache.cordova.CordovaChromeClient
> > > webChromeClient)
> > > > {
> > > > > > >     super.init(webView, webViewClient, webChromeClient);
> > > > > > >
> > > > > > >     Spellcaster spellcaster = new Spellcaster();
> > > > > > >     spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > > ...
> > > > > > >
> > > > > > >
> > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > purplecabbage@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > It is great design for development, and netflix.
> > > > > > > >
> > > > > > > > Sent from my iPhone
> > > > > > > >
> > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > mhweiner234@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > It's technically possible, and even (arguably)
legal
> > according
> > > to
> > > > > > > Apple's
> > > > > > > > > documentation, depending on the nature of the
code and how
> > it's
> > > > > > > > implemented:
> > > > > > > > >
> > > > > > > > > 3.3.2 An Application may not download or install
executable
> > > code.
> > > > > > > > > Interpreted code may only be used in an Application
if all
> > > > scripts,
> > > > > > > code
> > > > > > > > > and interpreters are packaged in the Application
and not
> > > > > downloaded.
> > > > > > > The
> > > > > > > > > only exception to the foregoing is scripts and
code
> > downloaded
> > > > and
> > > > > > run
> > > > > > > by
> > > > > > > > > Apple's built-in WebKit framework, provided that
such
> scripts
> > > and
> > > > > > code
> > > > > > > do
> > > > > > > > > not change the primary purpose of the Application
by
> > providing
> > > > > > features
> > > > > > > > or
> > > > > > > > > functionality that are inconsistent with the
intended and
> > > > > advertised
> > > > > > > > > purpose of the Application as submitted to the
App Store.
> > > > > > > > >
> > > > > > > > > However, I would only do so if the code is coming
from a
> > server
> > > > > that
> > > > > > > you
> > > > > > > > > control, and if you are able to control what
code is
> getting
> > > > > > executed.
> > > > > > > > > Loading in 3rd party, unverified scripts into
your Cordova
> > view
> > > > is
> > > > > a
> > > > > > > big
> > > > > > > > > "no-no" for security reasons, and could get your
app
> delisted
> > > (or
> > > > > > > > rejected).
> > > > > > > > >
> > > > > > > > > If anyone else has more information on the topic,
I'd be
> > > > interested
> > > > > > in
> > > > > > > > > hearing it.
> > > > > > > > >
> > > > > > > > > Marc
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa
<
> > > > > sosah.victor@gmail.com
> > > > > > >
> > > > > > > > wrote:
> > > > > > > > >>
> > > > > > > > >> Hi Frederico.
> > > > > > > > >>
> > > > > > > > >> While what you are saying about the policies
stores is
> true,
> > > > this
> > > > > > > > applies
> > > > > > > > >> to public stores only (as far as I can tell).
For
> on-premise
> > > app
> > > > > > > stores
> > > > > > > > >> this might be false because each store owner
need to set
> and
> > > > apply
> > > > > > the
> > > > > > > > >> governance for the apps. It could end on
horrible results
> > due
> > > > to a
> > > > > > bad
> > > > > > > > >> implementation.
> > > > > > > > >>
> > > > > > > > >> I concur with everyone, it is possible but
awful design
> > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão"
<
> > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > >> wrote:
> > > > > > > > >>
> > > > > > > > >>> I don't have the details in hand at the
moment, but I
> > > remember
> > > > > > seeing
> > > > > > > > in
> > > > > > > > >>> more than one application store last
year policies being
> > > > changed
> > > > > to
> > > > > > > > >>> disallow remote code to run in an application
on-demand.
> > Such
> > > > > rules
> > > > > > > > >> *could*
> > > > > > > > >>> as well be applied to Cordova apps that
load remote
> content
> > > > > > > considered
> > > > > > > > as
> > > > > > > > >>> code (HTML isn't, but JS is). It's not
only a security
> > > concern
> > > > > per
> > > > > > > se,
> > > > > > > > >> but
> > > > > > > > >>> also an imposed limitation on the stores
(which were
> > > obviously
> > > > > > > created
> > > > > > > > >> for
> > > > > > > > >>> security concerns in the first place).
> > > > > > > > >>>
> > > > > > > > >>> Not even mentioning the issues with providing
the right
> > > > > cordova.js
> > > > > > > > >> version
> > > > > > > > >>> from the remote server not really knowing
where the
> request
> > > > came
> > > > > > > from.
> > > > > > > > >>> However, it's good to note too that aside
Phonegap
> > Developer
> > > > App,
> > > > > > > there
> > > > > > > > >> is
> > > > > > > > >>> also Adobe Hydration that does the exact
same thing as a
> > side
> > > > > > service
> > > > > > > > to
> > > > > > > > >>> Phonegap Build. I don't know if they've
come into any of
> > the
> > > > > issues
> > > > > > > > >>> mentioned, and I haven't even heard of
it being used in
> > > > > production.
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage
<
> > > > > purplecabbage@gmail.com
> > > > > > >:
> > > > > > > > >>>
> > > > > > > > >>>> I agree with all your statements
Marcel. I use this
> > approach
> > > > > > > > frequently
> > > > > > > > >>> in
> > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > >>>> Ultimately App Store policies decide
what can and cannot
> > be
> > > > > done.
> > > > > > > > >>>>
> > > > > > > > >>>> Regarding security, there is nothing
I can do with a
> > remote
> > > > page
> > > > > > > that
> > > > > > > > I
> > > > > > > > >>>> can't already do inside my app. It's
an issue of trust.
> > > > > > > > >>>>
> > > > > > > > >>>>
> > > > > > > > >>>> Sent from my iPhone
> > > > > > > > >>>>
> > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM,
Shazron <
> shazron@gmail.com>
> > > > > wrote:
> > > > > > > > >>>>>
> > > > > > > > >>>>> I agree that it is not recommended,
but it's possible.
> I
> > > > delved
> > > > > > > into
> > > > > > > > >>>>> this question here:
> > > > > > > > >>>>>
> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > >>>>>
> > > > > > > > >>>>> The PhoneGap Developer App is
an example of how this is
> > > > working
> > > > > > at
> > > > > > > > >>>>> http://app.phonegap.com but they
do some proxying to
> get
> > > > > around
> > > > > > > the
> > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > >>>>>
> > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23
AM, Marcel Kinard <
> > > > > > > cmarcelk@gmail.com>
> > > > > > > > >>>> wrote:
> > > > > > > > >>>>>> I've been getting occasional
questions about users
> > trying
> > > to
> > > > > use
> > > > > > > > >>>> remotely-loaded (non-local) HTML
pages with Cordova (in
> > the
> > > > > > webview,
> > > > > > > > >> not
> > > > > > > > >>>> InAppBrowser), and still expecting
to have access to the
> > > > plugin
> > > > > > APIs
> > > > > > > > >>>> (camera is a popular one). My response
so far is: "This
> is
> > > an
> > > > > > > > >> unsupported
> > > > > > > > >>>> configuration, because Cordova was
not designed for this
> > and
> > > > the
> > > > > > > > >>> community
> > > > > > > > >>>> does no testing of this configuration.
While it can work
> > in
> > > > some
> > > > > > > > >>>> circumstances, it is not recommended
nor supported."
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> My definition of "unsupported"
is not that it is
> > > incapable,
> > > > > but
> > > > > > > that
> > > > > > > > >>> we
> > > > > > > > >>>> don't claim that it is supposed to
work, and more
> > > importantly,
> > > > > we
> > > > > > > > won't
> > > > > > > > >>>> actively fix user-submitted defects
on this topic.
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> The main concern I have on
this is same origin policy,
> > and
> > > > > > > matching
> > > > > > > > >>> the
> > > > > > > > >>>> remotely-served cordova.js with the
locally-installed
> > native
> > > > > > Cordova
> > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Do you think I'm out in-the-weeds
on this, or do you
> > > agree?
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> If you agree, what would
you think of a blurb in
> > > > cordova-docs
> > > > > > > > >>> somewhere
> > > > > > > > >>>> that captures this gist?
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> --
> > > > > > > > >>>
> > > > > > > > >>> *Frederico Galvão*
> > > > > > > > >>>
> > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > >>>
> > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > >>>
> > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > >>
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> http://www.wizcorp.jp/>
> > > > > > > ------------------------------
> > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
|
> Website
> > > > > > > <http://www.wizcorp.jp/> | Twitter <
> https://twitter.com/Wizcorp>
> > |
> > > > > > > Facebook
> > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <csantana23@gmail.com>
> > >
> >
> >
> >
> > --
> > <http://www.wizcorp.jp/>Ally Ogilvie
> > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > ------------------------------
> > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > Facebook
> > <http://www.facebook.com/Wizcorp> | LinkedIn
> > <http://www.linkedin.com/company/wizcorp>
> >
>



-- 
Carlos Santana
<csantana23@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message