incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Becky Gibson <>
Subject Naviation Use Cases and whitelist
Date Tue, 31 Jan 2012 22:12:01 GMT
Since we are talking about how to implement the whitelist, I think we
should also have a discussion about how/when the whitelist is used.  I've
put together a quick list of navigation options. It would be good to agree
on how these should behave on each platform. I gathered these based on
comments I have seen in the PhoneGap forum.  I added a proposed action to
get the conversation started.

   - iframe within a cordova page - user just wants to display some other
   content within the page and sandbox it in an iframe.  They do not want to
   have to worry about any PG commands getting invoked by the pages loaded in
   the iframe and do not want to have to specify a whitelist for the iframe.
    Although I have seen requests where people DO want to run PG commands from
   the iframe - although I'm not sure I understand why.
   - childbrowser plugin - I have an app that tracks my blood donations.  I
   want to go out to the Red Cross web site to find the next donations in my
   area.  In this case I don't want to use the whitelist and I do not want any
   PG commands invoked from within the Childbrowser (other than to deal with
   the events from the Childbrowser).  There may be cases where the user does
   want PG commands within a ChildBrowser - with the new Web View /Cleaver
   implementations this could be an option.
   - ajax requests - enforce the whitelist
   - Not sure how we should deal with JavaScript invocations to open a new
    Should these open in the webview or open in the mobile browser (in the
   case of iOS this will leave the app with no way to return via a back button
   unless the Childbrowser is used).
    One would suspect that you would want a remote URL to open in the
   mobile browser UNLESS you are loading PhoneGap.js from that location as
   well and thus want it in the webView (in which case the whitelist is
      - window.location = url
      - <a href=url>new local or remote location</a>
   - Need a way to force opening in the browser (not the webview) and
   ignoring the whitlist check.

I'm sure  have missed some conditions. But, I think we at least need to
decide how these should / can behave and implement them consistently across
the platforms.  At the moment I don't think the behavior is consistent.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message