Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cordova.apache.org
Received-SPF: pass (nike.apache.org: domain of brian.leroux@gmail.com
 designates 209.85.213.182 as permitted sender)
MIME-Version: 1.0
Sender: brian.leroux@gmail.com
In-Reply-To: 
 <CA+h2+t1WEWcMx+qxC__p1uV0RF+J5SB5fX0NNTF_gPUwdUM_8w@mail.gmail.com>
References: <B459CDA2-39B0-404D-9513-FA2B917F39CF@gmail.com>
	<CAE6O_-bavFvcLSsjGQ8_Tgg=4QHVJyXra=dfEOTtOpjHhF-NMg@mail.gmail.com>
	<53dbfa5d.e2f2440a.051e.ffff90b1@mx.google.com>
	<CAFNH95RT0q9xDCGRu7zicsr9R0D4aV=H9Jqq3rcTKCjisVCKLQ@mail.gmail.com>
	<CANDRhHAjRV3dHGyQh+xKgmBdKnMqK_KxJt=-=M6Hn1voieKWew@mail.gmail.com>
	<CANV2e=HZ+ncCyYEn4fV2d=QWaajfzPKadwAY6bf0P0fXzhZz9w@mail.gmail.com>
	<53dc7488.283e460a.7848.ffffbb10@mx.google.com>
	<CA+h2+t2MkWNXgj7+rEuE+NgMCS+1sUJYdWL2VCGekav81zEKcA@mail.gmail.com>
	<CAEeF2Tf_3yYWywAimuauNvL-4fto3gXdMUb2WkbXekF7JkhA2g@mail.gmail.com>
	<CABiQX1VYW=nML2hP85p3kxEc53CuHsbWakOXidahRxr4tnkkmQ@mail.gmail.com>
	<CADVgkyOo7X-zzu24xSci1n6An7VuH7trO0=fQZLiRbDdt3HGsQ@mail.gmail.com>
	<CAHYtTqmm9QaKmzqYQ_YmY1QDJR5Zg+PuRW3szsRDO1LJ0k5EuA@mail.gmail.com>
	<CA+h2+t1WEWcMx+qxC__p1uV0RF+J5SB5fX0NNTF_gPUwdUM_8w@mail.gmail.com>
Date: Thu, 21 Aug 2014 10:30:50 -0700
Message-ID: 
 <CADVgkyOTd0JVfGuVyZe40mb8-ZM6hV_8RDoHq6hjfNFNNbw0Aw@mail.gmail.com>
Subject: Re: remotely loaded pages
From: Brian LeRoux <b@brian.io>
To: "dev@cordova.apache.org" <dev@cordova.apache.org>
Content-Type: multipart/alternative; boundary=bcaec517aefef0e35e05012714e0

--bcaec517aefef0e35e05012714e0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

phonegap-connect serves up remote cordova.js (negotiates the requestor to
send the right file)

no deaths yet!

https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cor=
dova/cordova.js#L29


On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <aogilvie@wizcorp.jp> wrote:

> That's a good difference to point out.
>
> >My personal position is that scenarios where developer is in control and
> >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> >scenario for Cordova
>
> I agree, because as cordova.js and cordovaLib are version linked, it make=
s
> sense that once an index.html is pulled in, it's cordova.js to load is
> already in the client application.
> Loading an external cordova.js would be suicidal. So we save the file
> locally to write into it's <HEAD> our known path to codova.js
>
>
>
>
>
>
>
> On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <csantana23@gmail.com>
> wrote:
>
> > I want to make clarification there is a notable difference between
> loading
> > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a downloade=
d
> > webapp to be loaded from a *local* HTML.
> >
> > IBM Worklight has a feature "Direct update"
> >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/co=
m.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?loc=
ale=3Den
> >
> > The scenario is a download and local load of html/cordova. Similar
> scenario
> > as spellcaster and appmobi
> > For this scenario there is control from app developer of the code being
> > loaded.
> >
> > What Marcel is asking is a *non-local* load of arbitrary html/code not
> > control by developer, developer loading a free html page own someone el=
se
> > and doing kind of a "document.location.replace('
> > http://somerandom.com/thisotherguy.html')"
> >
> > My personal position is that scenarios where developer is in control an=
d
> > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > scenario for Cordova. loading a random cordova.js directly from a
> non-local
> > random place not guarantee to be supported.
> >
> >
> >
> >
> > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b@brian.io> wrote:
> >
> > > Very much so. So much so, I think we should even consider such
> > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > >
> > >
> > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <agrieve@chromium.org>
> > > wrote:
> > >
> > > > I think this is a very desired plugin that many end up re-writing,
> and
> > > it's
> > > > far better than setting the content src directly to a remote URL.
> > > >
> > > > E.g. just stumbled across this yesterday:
> > > > http://docs.appmobi.com/index.php/live-update/
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mmocny@chromium.org>
> > > wrote:
> > > >
> > > > > Make it available Ally, of course that sounds interesting!
> > > > >
> > > > > I'm sure a few of us have suggestions for improvements too.
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <aogilvie@wizcorp.j=
p
> >
> > > > wrote:
> > > > >
> > > > > > Marcel, Sorry for the late reply.
> > > > > >
> > > > > > For some games that I produce where the entire game is served t=
o
> > the
> > > > > client
> > > > > > (requires no .html in the application) we have a tool called
> > > > > "spellcaster".
> > > > > > Spellcaster handles internet connectivity, localisation and
> Cordova
> > > > code
> > > > > > injection. It works as follows:
> > > > > >
> > > > > > One simply adds an application URL to Cordova's config.xml in
> > > <content
> > > > > > src=3DYOUR_URL_HERE>
> > > > > >
> > > > > > - Spellcaster will check for an active internet connection. If
> one
> > is
> > > > not
> > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > - Spellcaster downloads the content of the provided application
> URL
> > > and
> > > > > > stores to application cache (overriding any existing loader).
> > > > > > - Spellcaster injects Cordova script tags just after the <head>
> > tag.
> > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > >
> > > > > > *loader is your html to load.
> > > > > >
> > > > > > Are people still in need of such a solution? I could have this
> code
> > > > made
> > > > > > public it just needs a public sanitise check. Spellcaster
> supports
> > > iOS
> > > > > and
> > > > > > Android.
> > > > > > For iOS it requires 1 line of code to be added to
> > > > > > didFinishLaunchingWithOptions.
> > > > > > For Android it requires these overrides in onCreate:
> > > > > >
> > > > > > @Override
> > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > >     super.onCreate(savedInstanceState);
> > > > > >     super.init();
> > > > > >
> > > > > > @Override
> > > > > > public void init() {
> > > > > > Spellcaster spellcaster =3D new Spellcaster();
> > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > ...
> > > > > >
> > > > > > @Override
> > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > >              org.apache.cordova.CordovaWebViewClient
> webViewClient,
> > > > > >              org.apache.cordova.CordovaChromeClient
> > webChromeClient)
> > > {
> > > > > >     super.init(webView, webViewClient, webChromeClient);
> > > > > >
> > > > > >     Spellcaster spellcaster =3D new Spellcaster();
> > > > > >     spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > ...
> > > > > >
> > > > > >
> > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > purplecabbage@gmail.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > It is great design for development, and netflix.
> > > > > > >
> > > > > > > Sent from my iPhone
> > > > > > >
> > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> mhweiner234@gmail.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > It's technically possible, and even (arguably) legal
> according
> > to
> > > > > > Apple's
> > > > > > > > documentation, depending on the nature of the code and how
> it's
> > > > > > > implemented:
> > > > > > > >
> > > > > > > > 3.3.2 An Application may not download or install executable
> > code.
> > > > > > > > Interpreted code may only be used in an Application if all
> > > scripts,
> > > > > > code
> > > > > > > > and interpreters are packaged in the Application and not
> > > > downloaded.
> > > > > > The
> > > > > > > > only exception to the foregoing is scripts and code
> downloaded
> > > and
> > > > > run
> > > > > > by
> > > > > > > > Apple's built-in WebKit framework, provided that such scrip=
ts
> > and
> > > > > code
> > > > > > do
> > > > > > > > not change the primary purpose of the Application by
> providing
> > > > > features
> > > > > > > or
> > > > > > > > functionality that are inconsistent with the intended and
> > > > advertised
> > > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > > >
> > > > > > > > However, I would only do so if the code is coming from a
> server
> > > > that
> > > > > > you
> > > > > > > > control, and if you are able to control what code is gettin=
g
> > > > > executed.
> > > > > > > > Loading in 3rd party, unverified scripts into your Cordova
> view
> > > is
> > > > a
> > > > > > big
> > > > > > > > "no-no" for security reasons, and could get your app delist=
ed
> > (or
> > > > > > > rejected).
> > > > > > > >
> > > > > > > > If anyone else has more information on the topic, I'd be
> > > interested
> > > > > in
> > > > > > > > hearing it.
> > > > > > > >
> > > > > > > > Marc
> > > > > > > >
> > > > > > > >
> > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > sosah.victor@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > > >>
> > > > > > > >> Hi Frederico.
> > > > > > > >>
> > > > > > > >> While what you are saying about the policies stores is tru=
e,
> > > this
> > > > > > > applies
> > > > > > > >> to public stores only (as far as I can tell). For on-premi=
se
> > app
> > > > > > stores
> > > > > > > >> this might be false because each store owner need to set a=
nd
> > > apply
> > > > > the
> > > > > > > >> governance for the apps. It could end on horrible results
> due
> > > to a
> > > > > bad
> > > > > > > >> implementation.
> > > > > > > >>
> > > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galv=C3=A3o" <
> > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >>> I don't have the details in hand at the moment, but I
> > remember
> > > > > seeing
> > > > > > > in
> > > > > > > >>> more than one application store last year policies being
> > > changed
> > > > to
> > > > > > > >>> disallow remote code to run in an application on-demand.
> Such
> > > > rules
> > > > > > > >> *could*
> > > > > > > >>> as well be applied to Cordova apps that load remote conte=
nt
> > > > > > considered
> > > > > > > as
> > > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> > concern
> > > > per
> > > > > > se,
> > > > > > > >> but
> > > > > > > >>> also an imposed limitation on the stores (which were
> > obviously
> > > > > > created
> > > > > > > >> for
> > > > > > > >>> security concerns in the first place).
> > > > > > > >>>
> > > > > > > >>> Not even mentioning the issues with providing the right
> > > > cordova.js
> > > > > > > >> version
> > > > > > > >>> from the remote server not really knowing where the reque=
st
> > > came
> > > > > > from.
> > > > > > > >>> However, it's good to note too that aside Phonegap
> Developer
> > > App,
> > > > > > there
> > > > > > > >> is
> > > > > > > >>> also Adobe Hydration that does the exact same thing as a
> side
> > > > > service
> > > > > > > to
> > > > > > > >>> Phonegap Build. I don't know if they've come into any of
> the
> > > > issues
> > > > > > > >>> mentioned, and I haven't even heard of it being used in
> > > > production.
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > purplecabbage@gmail.com
> > > > > >:
> > > > > > > >>>
> > > > > > > >>>> I agree with all your statements Marcel. I use this
> approach
> > > > > > > frequently
> > > > > > > >>> in
> > > > > > > >>>> dev for fast turnaround.
> > > > > > > >>>> Ultimately App Store policies decide what can and cannot
> be
> > > > done.
> > > > > > > >>>>
> > > > > > > >>>> Regarding security, there is nothing I can do with a
> remote
> > > page
> > > > > > that
> > > > > > > I
> > > > > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> Sent from my iPhone
> > > > > > > >>>>
> > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <shazron@gmail.com=
>
> > > > wrote:
> > > > > > > >>>>>
> > > > > > > >>>>> I agree that it is not recommended, but it's possible. =
I
> > > delved
> > > > > > into
> > > > > > > >>>>> this question here:
> > > > > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > >>>>>
> > > > > > > >>>>> The PhoneGap Developer App is an example of how this is
> > > working
> > > > > at
> > > > > > > >>>>> http://app.phonegap.com but they do some proxying to ge=
t
> > > > around
> > > > > > the
> > > > > > > >>>>> CORS limitations I believe.
> > > > > > > >>>>>
> > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > cmarcelk@gmail.com>
> > > > > > > >>>> wrote:
> > > > > > > >>>>>> I've been getting occasional questions about users
> trying
> > to
> > > > use
> > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in
> the
> > > > > webview,
> > > > > > > >> not
> > > > > > > >>>> InAppBrowser), and still expecting to have access to the
> > > plugin
> > > > > APIs
> > > > > > > >>>> (camera is a popular one). My response so far is: "This =
is
> > an
> > > > > > > >> unsupported
> > > > > > > >>>> configuration, because Cordova was not designed for this
> and
> > > the
> > > > > > > >>> community
> > > > > > > >>>> does no testing of this configuration. While it can work
> in
> > > some
> > > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > > >>>>>>
> > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > incapable,
> > > > but
> > > > > > that
> > > > > > > >>> we
> > > > > > > >>>> don't claim that it is supposed to work, and more
> > importantly,
> > > > we
> > > > > > > won't
> > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > >>>>>>
> > > > > > > >>>>>> The main concern I have on this is same origin policy,
> and
> > > > > > matching
> > > > > > > >>> the
> > > > > > > >>>> remotely-served cordova.js with the locally-installed
> native
> > > > > Cordova
> > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > >>>>>>
> > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you
> > agree?
> > > > > > > >>>>>>
> > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > cordova-docs
> > > > > > > >>> somewhere
> > > > > > > >>>> that captures this gist?
> > > > > > > >>>>>>
> > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> --
> > > > > > > >>>
> > > > > > > >>> *Frederico Galv=C3=A3o*
> > > > > > > >>>
> > > > > > > >>> Diretor de Tecnologia
> > > > > > > >>>
> > > > > > > >>> PontoGet Inova=C3=A7=C3=A3o Web
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > >>>
> > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > >>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/=
>
> > > > > > ------------------------------
> > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Websit=
e
> > > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp=
>
> |
> > > > > > Facebook
> > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <csantana23@gmail.com>
> >
>
>
>
> --
> <http://www.wizcorp.jp/>Ally Ogilvie
> Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> ------------------------------
> TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> Facebook
> <http://www.facebook.com/Wizcorp> | LinkedIn
> <http://www.linkedin.com/company/wizcorp>
>

--bcaec517aefef0e35e05012714e0--