cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Santana <csantan...@gmail.com>
Subject Re: remotely loaded pages
Date Thu, 21 Aug 2014 18:20:07 GMT
Sorry Brian, I thought it was a development time tool to allow for fast
development cycle associated with PhoneGap Developer App.

I guess they can use it and run the connect-phonegap in a production
node-js backend system, I wonder how it solves the problems of serving the
correct version of cordova.js and cordova_plugin.js depending on the
version of the native code that is installed on the different versions of
the mobile App in production.




On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b@brian.io> wrote:

> totally, though connect-phonegap *could* be considered production worthy
> (it is being used significantly by the pg downstream community)
>
>
> On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <csantana23@gmail.com>
> wrote:
>
> > Brain I think that's OK at development time everything is fair game :-)
> >
> > The problem is developers doing stupid things like loading a cordova.js
> > from a place they don't know for a in production app being used by end
> > users, that's just kamikaze
> >
> > That's OK if they want to shoot themselves in the foot, but then don't
> come
> > crying to JIRA claiming that is a problem with Cordova project.
> >
> >
> > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b@brian.io> wrote:
> >
> > > phonegap-connect serves up remote cordova.js (negotiates the requestor
> to
> > > send the right file)
> > >
> > > no deaths yet!
> > >
> > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> > >
> > >
> > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <aogilvie@wizcorp.jp>
> > wrote:
> > >
> > > > That's a good difference to point out.
> > > >
> > > > >My personal position is that scenarios where developer is in control
> > and
> > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > > >scenario for Cordova
> > > >
> > > > I agree, because as cordova.js and cordovaLib are version linked, it
> > > makes
> > > > sense that once an index.html is pulled in, it's cordova.js to load
> is
> > > > already in the client application.
> > > > Loading an external cordova.js would be suicidal. So we save the file
> > > > locally to write into it's <HEAD> our known path to codova.js
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> csantana23@gmail.com>
> > > > wrote:
> > > >
> > > > > I want to make clarification there is a notable difference between
> > > > loading
> > > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> > > downloaded
> > > > > webapp to be loaded from a *local* HTML.
> > > > >
> > > > > IBM Worklight has a feature "Direct update"
> > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > > >
> > > > > The scenario is a download and local load of html/cordova. Similar
> > > > scenario
> > > > > as spellcaster and appmobi
> > > > > For this scenario there is control from app developer of the code
> > being
> > > > > loaded.
> > > > >
> > > > > What Marcel is asking is a *non-local* load of arbitrary html/code
> > not
> > > > > control by developer, developer loading a free html page own
> someone
> > > else
> > > > > and doing kind of a "document.location.replace('
> > > > > http://somerandom.com/thisotherguy.html')"
> > > > >
> > > > > My personal position is that scenarios where developer is in
> control
> > > and
> > > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > > > scenario for Cordova. loading a random cordova.js directly from a
> > > > non-local
> > > > > random place not guarantee to be supported.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b@brian.io>
wrote:
> > > > >
> > > > > > Very much so. So much so, I think we should even consider such
> > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > agrieve@chromium.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > > > I think this is a very desired plugin that many end up
> > re-writing,
> > > > and
> > > > > > it's
> > > > > > > far better than setting the content src directly to a remote
> URL.
> > > > > > >
> > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > mmocny@chromium.org
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > > > Make it available Ally, of course that sounds interesting!
> > > > > > > >
> > > > > > > > I'm sure a few of us have suggestions for improvements
too.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > aogilvie@wizcorp.jp
> > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > >
> > > > > > > > > For some games that I produce where the entire
game is
> served
> > > to
> > > > > the
> > > > > > > > client
> > > > > > > > > (requires no .html in the application) we have
a tool
> called
> > > > > > > > "spellcaster".
> > > > > > > > > Spellcaster handles internet connectivity, localisation
and
> > > > Cordova
> > > > > > > code
> > > > > > > > > injection. It works as follows:
> > > > > > > > >
> > > > > > > > > One simply adds an application URL to Cordova's
config.xml
> in
> > > > > > <content
> > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > >
> > > > > > > > > - Spellcaster will check for an active internet
connection.
> > If
> > > > one
> > > > > is
> > > > > > > not
> > > > > > > > > found Spellcaster will continue retrying at a
set interval.
> > > > > > > > > - Spellcaster downloads the content of the provided
> > application
> > > > URL
> > > > > > and
> > > > > > > > > stores to application cache (overriding any existing
> loader).
> > > > > > > > > - Spellcaster injects Cordova script tags just
after the
> > <head>
> > > > > tag.
> > > > > > > > > - Spellcaster loads the new *loader into the
WebView
> > > > > > > > >
> > > > > > > > > *loader is your html to load.
> > > > > > > > >
> > > > > > > > > Are people still in need of such a solution?
I could have
> > this
> > > > code
> > > > > > > made
> > > > > > > > > public it just needs a public sanitise check.
Spellcaster
> > > > supports
> > > > > > iOS
> > > > > > > > and
> > > > > > > > > Android.
> > > > > > > > > For iOS it requires 1 line of code to be added
to
> > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void onCreate(Bundle savedInstanceState)
{
> > > > > > > > >     super.onCreate(savedInstanceState);
> > > > > > > > >     super.init();
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void init() {
> > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
appView);
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void init(org.apache.cordova.CordovaWebView
webView,
> > > > > > > > >              org.apache.cordova.CordovaWebViewClient
> > > > webViewClient,
> > > > > > > > >              org.apache.cordova.CordovaChromeClient
> > > > > webChromeClient)
> > > > > > {
> > > > > > > > >     super.init(webView, webViewClient, webChromeClient);
> > > > > > > > >
> > > > > > > > >     Spellcaster spellcaster = new Spellcaster();
> > > > > > > > >     spellcaster.init(this, Config.getStartUrl(),
webView);
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage
<
> > > > > > purplecabbage@gmail.com
> > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > It is great design for development, and
netflix.
> > > > > > > > > >
> > > > > > > > > > Sent from my iPhone
> > > > > > > > > >
> > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner
<
> > > > mhweiner234@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > It's technically possible, and even
(arguably) legal
> > > > according
> > > > > to
> > > > > > > > > Apple's
> > > > > > > > > > > documentation, depending on the nature
of the code and
> > how
> > > > it's
> > > > > > > > > > implemented:
> > > > > > > > > > >
> > > > > > > > > > > 3.3.2 An Application may not download
or install
> > executable
> > > > > code.
> > > > > > > > > > > Interpreted code may only be used in
an Application if
> > all
> > > > > > scripts,
> > > > > > > > > code
> > > > > > > > > > > and interpreters are packaged in the
Application and
> not
> > > > > > > downloaded.
> > > > > > > > > The
> > > > > > > > > > > only exception to the foregoing is
scripts and code
> > > > downloaded
> > > > > > and
> > > > > > > > run
> > > > > > > > > by
> > > > > > > > > > > Apple's built-in WebKit framework,
provided that such
> > > scripts
> > > > > and
> > > > > > > > code
> > > > > > > > > do
> > > > > > > > > > > not change the primary purpose of the
Application by
> > > > providing
> > > > > > > > features
> > > > > > > > > > or
> > > > > > > > > > > functionality that are inconsistent
with the intended
> and
> > > > > > > advertised
> > > > > > > > > > > purpose of the Application as submitted
to the App
> Store.
> > > > > > > > > > >
> > > > > > > > > > > However, I would only do so if the
code is coming from
> a
> > > > server
> > > > > > > that
> > > > > > > > > you
> > > > > > > > > > > control, and if you are able to control
what code is
> > > getting
> > > > > > > > executed.
> > > > > > > > > > > Loading in 3rd party, unverified scripts
into your
> > Cordova
> > > > view
> > > > > > is
> > > > > > > a
> > > > > > > > > big
> > > > > > > > > > > "no-no" for security reasons, and could
get your app
> > > delisted
> > > > > (or
> > > > > > > > > > rejected).
> > > > > > > > > > >
> > > > > > > > > > > If anyone else has more information
on the topic, I'd
> be
> > > > > > interested
> > > > > > > > in
> > > > > > > > > > > hearing it.
> > > > > > > > > > >
> > > > > > > > > > > Marc
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM,
Victor Sosa <
> > > > > > > sosah.victor@gmail.com
> > > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >>
> > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > >>
> > > > > > > > > > >> While what you are saying about
the policies stores is
> > > true,
> > > > > > this
> > > > > > > > > > applies
> > > > > > > > > > >> to public stores only (as far as
I can tell). For
> > > on-premise
> > > > > app
> > > > > > > > > stores
> > > > > > > > > > >> this might be false because each
store owner need to
> set
> > > and
> > > > > > apply
> > > > > > > > the
> > > > > > > > > > >> governance for the apps. It could
end on horrible
> > results
> > > > due
> > > > > > to a
> > > > > > > > bad
> > > > > > > > > > >> implementation.
> > > > > > > > > > >>
> > > > > > > > > > >> I concur with everyone, it is possible
but awful
> design
> > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico
Galvão" <
> > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > >> wrote:
> > > > > > > > > > >>
> > > > > > > > > > >>> I don't have the details in
hand at the moment, but I
> > > > > remember
> > > > > > > > seeing
> > > > > > > > > > in
> > > > > > > > > > >>> more than one application store
last year policies
> > being
> > > > > > changed
> > > > > > > to
> > > > > > > > > > >>> disallow remote code to run
in an application
> > on-demand.
> > > > Such
> > > > > > > rules
> > > > > > > > > > >> *could*
> > > > > > > > > > >>> as well be applied to Cordova
apps that load remote
> > > content
> > > > > > > > > considered
> > > > > > > > > > as
> > > > > > > > > > >>> code (HTML isn't, but JS is).
It's not only a
> security
> > > > > concern
> > > > > > > per
> > > > > > > > > se,
> > > > > > > > > > >> but
> > > > > > > > > > >>> also an imposed limitation
on the stores (which were
> > > > > obviously
> > > > > > > > > created
> > > > > > > > > > >> for
> > > > > > > > > > >>> security concerns in the first
place).
> > > > > > > > > > >>>
> > > > > > > > > > >>> Not even mentioning the issues
with providing the
> right
> > > > > > > cordova.js
> > > > > > > > > > >> version
> > > > > > > > > > >>> from the remote server not
really knowing where the
> > > request
> > > > > > came
> > > > > > > > > from.
> > > > > > > > > > >>> However, it's good to note
too that aside Phonegap
> > > > Developer
> > > > > > App,
> > > > > > > > > there
> > > > > > > > > > >> is
> > > > > > > > > > >>> also Adobe Hydration that does
the exact same thing
> as
> > a
> > > > side
> > > > > > > > service
> > > > > > > > > > to
> > > > > > > > > > >>> Phonegap Build. I don't know
if they've come into any
> > of
> > > > the
> > > > > > > issues
> > > > > > > > > > >>> mentioned, and I haven't even
heard of it being used
> in
> > > > > > > production.
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00
purplecabbage <
> > > > > > > purplecabbage@gmail.com
> > > > > > > > >:
> > > > > > > > > > >>>
> > > > > > > > > > >>>> I agree with all your statements
Marcel. I use this
> > > > approach
> > > > > > > > > > frequently
> > > > > > > > > > >>> in
> > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > >>>> Ultimately App Store policies
decide what can and
> > cannot
> > > > be
> > > > > > > done.
> > > > > > > > > > >>>>
> > > > > > > > > > >>>> Regarding security, there
is nothing I can do with a
> > > > remote
> > > > > > page
> > > > > > > > > that
> > > > > > > > > > I
> > > > > > > > > > >>>> can't already do inside
my app. It's an issue of
> > trust.
> > > > > > > > > > >>>>
> > > > > > > > > > >>>>
> > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > >>>>
> > > > > > > > > > >>>>> On Aug 1, 2014, at
10:35 AM, Shazron <
> > > shazron@gmail.com>
> > > > > > > wrote:
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>> I agree that it is
not recommended, but it's
> > possible.
> > > I
> > > > > > delved
> > > > > > > > > into
> > > > > > > > > > >>>>> this question here:
> > > > > > > > > > >>>>>
> > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>> The PhoneGap Developer
App is an example of how
> this
> > is
> > > > > > working
> > > > > > > > at
> > > > > > > > > > >>>>> http://app.phonegap.com
but they do some proxying
> to
> > > get
> > > > > > > around
> > > > > > > > > the
> > > > > > > > > > >>>>> CORS limitations I
believe.
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>>> On Fri, Aug 1,
2014 at 10:23 AM, Marcel Kinard <
> > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > >>>> wrote:
> > > > > > > > > > >>>>>> I've been getting
occasional questions about users
> > > > trying
> > > > > to
> > > > > > > use
> > > > > > > > > > >>>> remotely-loaded (non-local)
HTML pages with Cordova
> > (in
> > > > the
> > > > > > > > webview,
> > > > > > > > > > >> not
> > > > > > > > > > >>>> InAppBrowser), and still
expecting to have access to
> > the
> > > > > > plugin
> > > > > > > > APIs
> > > > > > > > > > >>>> (camera is a popular one).
My response so far is:
> > "This
> > > is
> > > > > an
> > > > > > > > > > >> unsupported
> > > > > > > > > > >>>> configuration, because
Cordova was not designed for
> > this
> > > > and
> > > > > > the
> > > > > > > > > > >>> community
> > > > > > > > > > >>>> does no testing of this
configuration. While it can
> > work
> > > > in
> > > > > > some
> > > > > > > > > > >>>> circumstances, it is not
recommended nor supported."
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> My definition of
"unsupported" is not that it is
> > > > > incapable,
> > > > > > > but
> > > > > > > > > that
> > > > > > > > > > >>> we
> > > > > > > > > > >>>> don't claim that it is
supposed to work, and more
> > > > > importantly,
> > > > > > > we
> > > > > > > > > > won't
> > > > > > > > > > >>>> actively fix user-submitted
defects on this topic.
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> The main concern
I have on this is same origin
> > policy,
> > > > and
> > > > > > > > > matching
> > > > > > > > > > >>> the
> > > > > > > > > > >>>> remotely-served cordova.js
with the
> locally-installed
> > > > native
> > > > > > > > Cordova
> > > > > > > > > > >>>> platform to avoid version
mismatch.
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> Do you think I'm
out in-the-weeds on this, or do
> you
> > > > > agree?
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> If you agree, what
would you think of a blurb in
> > > > > > cordova-docs
> > > > > > > > > > >>> somewhere
> > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> Thanks for your
feedback!
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> --
> > > > > > > > > > >>>
> > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > >>>
> > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > >>>
> > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > >>>
> > > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > > > >>
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> > > http://www.wizcorp.jp/>
> > > > > > > > > ------------------------------
> > > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
|
> > > Website
> > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > https://twitter.com/Wizcorp>
> > > > |
> > > > > > > > > Facebook
> > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Carlos Santana
> > > > > <csantana23@gmail.com>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > ------------------------------
> > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp>
|
> > > > Facebook
> > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > <http://www.linkedin.com/company/wizcorp>
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <csantana23@gmail.com>
> >
>



-- 
Carlos Santana
<csantana23@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message