incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Wallis <>
Subject Re: Naviation Use Cases and whitelist
Date Tue, 31 Jan 2012 22:16:05 GMT
For WebWorks, the whitelist is also applied for general resource loading,
like <img> tags etc.
Ken Wallis
Product Manager ­ BlackBerry WebWorks

Research In Motion
(905) 629-4746 x14369

-----Original Message-----
From: Becky Gibson <>
Reply-To: <>
Date: Tue, 31 Jan 2012 17:12:01 -0500
To: <>
Subject: Naviation Use Cases and whitelist

>Since we are talking about how to implement the whitelist, I think we
>should also have a discussion about how/when the whitelist is used.  I've
>put together a quick list of navigation options. It would be good to agree
>on how these should behave on each platform. I gathered these based on
>comments I have seen in the PhoneGap forum.  I added a proposed action to
>get the conversation started.
>   - iframe within a cordova page - user just wants to display some other
>   content within the page and sandbox it in an iframe.  They do not want
>   have to worry about any PG commands getting invoked by the pages
>loaded in
>   the iframe and do not want to have to specify a whitelist for the
>    Although I have seen requests where people DO want to run PG commands
>   the iframe - although I'm not sure I understand why.
>   - childbrowser plugin - I have an app that tracks my blood donations.
>   want to go out to the Red Cross web site to find the next donations in
>   area.  In this case I don't want to use the whitelist and I do not
>want any
>   PG commands invoked from within the Childbrowser (other than to deal
>   the events from the Childbrowser).  There may be cases where the user
>   want PG commands within a ChildBrowser - with the new Web View /Cleaver
>   implementations this could be an option.
>   - ajax requests - enforce the whitelist
>   - Not sure how we should deal with JavaScript invocations to open a new
>   page?
>    Should these open in the webview or open in the mobile browser (in the
>   case of iOS this will leave the app with no way to return via a back
>   unless the Childbrowser is used).
>    One would suspect that you would want a remote URL to open in the
>   mobile browser UNLESS you are loading PhoneGap.js from that location as
>   well and thus want it in the webView (in which case the whitelist is
>   enforced)
>      - window.location = url
>      - <a href=url>new local or remote location</a>
>   - Need a way to force opening in the browser (not the webview) and
>   ignoring the whitlist check.
>I'm sure  have missed some conditions. But, I think we at least need to
>decide how these should / can behave and implement them consistently
>the platforms.  At the moment I don't think the behavior is consistent.

This transmission (including any attachments) may contain confidential information, privileged
material (including material protected by the solicitor-client or other applicable privileges),
or constitute non-public information. Any use of this information by anyone other than the
intended recipient is prohibited. If you have received this transmission in error, please
immediately reply to the sender and delete this information from your system. Use, dissemination,
distribution, or reproduction of this transmission by unintended recipients is not authorized
and may be unlawful.

View raw message