cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sosa <sosah.vic...@gmail.com>
Subject Re: remotely loaded pages
Date Fri, 01 Aug 2014 17:34:56 GMT
Hello Marcel.

Interesting scenario here. I'm not an expert on this topic, but loading
remote web artifacts that have native access looks very insecure to me.
Whether it is possible? Yeah, maybe... But is it advisable and, more
important, recommended by the Cordova experts community? I'd like to say no
just for the sake of security.

Of course, I might be just talking crazy here and would like to know what
the community thinks about it.



2014-08-01 12:23 GMT-05:00 Marcel Kinard <cmarcelk@gmail.com>:

> I've been getting occasional questions about users trying to use
> remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
> InAppBrowser), and still expecting to have access to the plugin APIs
> (camera is a popular one). My response so far is: "This is an unsupported
> configuration, because Cordova was not designed for this and the community
> does no testing of this configuration. While it can work in some
> circumstances, it is not recommended nor supported."
>
> My definition of "unsupported" is not that it is incapable, but that we
> don't claim that it is supposed to work, and more importantly, we won't
> actively fix user-submitted defects on this topic.
>
> The main concern I have on this is same origin policy, and matching the
> remotely-served cordova.js with the locally-installed native Cordova
> platform to avoid version mismatch.
>
> Do you think I'm out in-the-weeds on this, or do you agree?
>
> If you agree, what would you think of a blurb in cordova-docs somewhere
> that captures this gist?
>
> Thanks for your feedback!




-- 
Victor Adrian Sosa Herrera
IBM Software Engineer
Guadalajara, Jalisco

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message