Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AC1111172D for ; Wed, 20 Aug 2014 06:39:03 +0000 (UTC) Received: (qmail 75568 invoked by uid 500); 20 Aug 2014 06:39:03 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 75530 invoked by uid 500); 20 Aug 2014 06:39:03 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 75518 invoked by uid 99); 20 Aug 2014 06:39:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2014 06:39:03 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL,T_REMOTE_IMAGE X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.192.49] (HELO mail-qg0-f49.google.com) (209.85.192.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2014 06:38:59 +0000 Received: by mail-qg0-f49.google.com with SMTP id j107so6919736qga.22 for ; Tue, 19 Aug 2014 23:38:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=q27YU2i5DHhTZOfNDTPpWXRusu6Ypg9mgQiGOREKJ2A=; b=jQvcNfmA3ujL/BIjRSfi6IJ8Ik+MNr9HTc7lJiwILW/lmEQdwNSidYDRdWwnANOTUT 9PZahVB75Y6a6ph++A/By8be+40xk/pPhBDQC1u+5GFPUvmSzsujI4MImMlxo8YpmeS3 Nzs0QLcE+d3aVBRqmIZbmhH0Rd+mvattmPfQCNdLCtmnUWIXoiF0EU3pJ8H50Ky4CcDF 0yMK/+CIPR9r3yV8iveLzCoGcenmm+Uvqs3n9Mo9zdxYRB593Rd+gYxufIhgF9SXtvkl OdZ+qG44sWhhBDRmBgcGKvL56ue/MGOKh7giLdv3ItYU76MceJY6Jzho4Nv+vAjTylYO Cxxg== X-Gm-Message-State: ALoCoQn/rXdZJp++xzZ4XfAdWZVTxvTcQ1k7ZVGlC3hH7/9zLKfoyne/D0fYhEH5l+LrDu4+6rNY MIME-Version: 1.0 X-Received: by 10.224.11.212 with SMTP id u20mr74498661qau.82.1408516718058; Tue, 19 Aug 2014 23:38:38 -0700 (PDT) Received: by 10.96.149.70 with HTTP; Tue, 19 Aug 2014 23:38:37 -0700 (PDT) In-Reply-To: <53dc7488.283e460a.7848.ffffbb10@mx.google.com> References:

<53dbfa5d.e2f2440a.051e.ffff90b1@mx.google.com>

<53dc7488.283e460a.7848.ffffbb10@mx.google.com> Date: Wed, 20 Aug 2014 15:38:37 +0900 Message-ID: Subject: Re: remotely loaded pages From: Ally Ogilvie To: "dev@cordova.apache.org" Content-Type: multipart/alternative; boundary=089e01537550a3f9b9050109daee X-Virus-Checked: Checked by ClamAV on apache.org --089e01537550a3f9b9050109daee Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Marcel, Sorry for the late reply. For some games that I produce where the entire game is served to the client (requires no .html in the application) we have a tool called "spellcaster". Spellcaster handles internet connectivity, localisation and Cordova code injection. It works as follows: One simply adds an application URL to Cordova's config.xml in - Spellcaster will check for an active internet connection. If one is not found Spellcaster will continue retrying at a set interval. - Spellcaster downloads the content of the provided application URL and stores to application cache (overriding any existing loader). - Spellcaster injects Cordova script tags just after the tag. - Spellcaster loads the new *loader into the WebView *loader is your html to load. Are people still in need of such a solution? I could have this code made public it just needs a public sanitise check. Spellcaster supports iOS and Android. For iOS it requires 1 line of code to be added to didFinishLaunchingWithOptions. For Android it requires these overrides in onCreate: @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); super.init(); @Override public void init() { Spellcaster spellcaster =3D new Spellcaster(); spellcaster.init(this, Config.getStartUrl(), appView); ... @Override public void init(org.apache.cordova.CordovaWebView webView, org.apache.cordova.CordovaWebViewClient webViewClient, org.apache.cordova.CordovaChromeClient webChromeClient) { super.init(webView, webViewClient, webChromeClient); Spellcaster spellcaster =3D new Spellcaster(); spellcaster.init(this, Config.getStartUrl(), webView); ... On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage wrote: > It is great design for development, and netflix. > > Sent from my iPhone > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner wrote: > > > > It's technically possible, and even (arguably) legal according to Apple= 's > > documentation, depending on the nature of the code and how it's > implemented: > > > > 3.3.2 An Application may not download or install executable code. > > Interpreted code may only be used in an Application if all scripts, cod= e > > and interpreters are packaged in the Application and not downloaded. Th= e > > only exception to the foregoing is scripts and code downloaded and run = by > > Apple's built-in WebKit framework, provided that such scripts and code = do > > not change the primary purpose of the Application by providing features > or > > functionality that are inconsistent with the intended and advertised > > purpose of the Application as submitted to the App Store. > > > > However, I would only do so if the code is coming from a server that yo= u > > control, and if you are able to control what code is getting executed. > > Loading in 3rd party, unverified scripts into your Cordova view is a bi= g > > "no-no" for security reasons, and could get your app delisted (or > rejected). > > > > If anyone else has more information on the topic, I'd be interested in > > hearing it. > > > > Marc > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa > wrote: > >> > >> Hi Frederico. > >> > >> While what you are saying about the policies stores is true, this > applies > >> to public stores only (as far as I can tell). For on-premise app store= s > >> this might be false because each store owner need to set and apply the > >> governance for the apps. It could end on horrible results due to a bad > >> implementation. > >> > >> I concur with everyone, it is possible but awful design > >> On Aug 1, 2014 4:35 PM, "Frederico Galv=C3=A3o" < > >> frederico.galvao@pontoget.com.br> > >> wrote: > >> > >>> I don't have the details in hand at the moment, but I remember seeing > in > >>> more than one application store last year policies being changed to > >>> disallow remote code to run in an application on-demand. Such rules > >> *could* > >>> as well be applied to Cordova apps that load remote content considere= d > as > >>> code (HTML isn't, but JS is). It's not only a security concern per se= , > >> but > >>> also an imposed limitation on the stores (which were obviously create= d > >> for > >>> security concerns in the first place). > >>> > >>> Not even mentioning the issues with providing the right cordova.js > >> version > >>> from the remote server not really knowing where the request came from= . > >>> However, it's good to note too that aside Phonegap Developer App, the= re > >> is > >>> also Adobe Hydration that does the exact same thing as a side service > to > >>> Phonegap Build. I don't know if they've come into any of the issues > >>> mentioned, and I haven't even heard of it being used in production. > >>> > >>> > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage : > >>> > >>>> I agree with all your statements Marcel. I use this approach > frequently > >>> in > >>>> dev for fast turnaround. > >>>> Ultimately App Store policies decide what can and cannot be done. > >>>> > >>>> Regarding security, there is nothing I can do with a remote page tha= t > I > >>>> can't already do inside my app. It's an issue of trust. > >>>> > >>>> > >>>> Sent from my iPhone > >>>> > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron wrote: > >>>>> > >>>>> I agree that it is not recommended, but it's possible. I delved int= o > >>>>> this question here: > >>>>> https://github.com/shazron/phonegap-questions/issues/37 > >>>>> > >>>>> The PhoneGap Developer App is an example of how this is working at > >>>>> http://app.phonegap.com but they do some proxying to get around the > >>>>> CORS limitations I believe. > >>>>> > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard > >>>> wrote: > >>>>>> I've been getting occasional questions about users trying to use > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the webview, > >> not > >>>> InAppBrowser), and still expecting to have access to the plugin APIs > >>>> (camera is a popular one). My response so far is: "This is an > >> unsupported > >>>> configuration, because Cordova was not designed for this and the > >>> community > >>>> does no testing of this configuration. While it can work in some > >>>> circumstances, it is not recommended nor supported." > >>>>>> > >>>>>> My definition of "unsupported" is not that it is incapable, but th= at > >>> we > >>>> don't claim that it is supposed to work, and more importantly, we > won't > >>>> actively fix user-submitted defects on this topic. > >>>>>> > >>>>>> The main concern I have on this is same origin policy, and matchin= g > >>> the > >>>> remotely-served cordova.js with the locally-installed native Cordova > >>>> platform to avoid version mismatch. > >>>>>> > >>>>>> Do you think I'm out in-the-weeds on this, or do you agree? > >>>>>> > >>>>>> If you agree, what would you think of a blurb in cordova-docs > >>> somewhere > >>>> that captures this gist? > >>>>>> > >>>>>> Thanks for your feedback! > >>> > >>> > >>> > >>> -- > >>> > >>> *Frederico Galv=C3=A3o* > >>> > >>> Diretor de Tecnologia > >>> > >>> PontoGet Inova=C3=A7=C3=A3o Web > >>> > >>> > >>> ( +55(62) 8131-5720 > >>> > >>> * www.pontoget.com.br > >> > --=20 Ally Ogilvie Lead Developer - MobDev. | Wizcorp Inc. ------------------------------ TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website | Twitter | Facebook | LinkedIn --089e01537550a3f9b9050109daee--