You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Marcel Kinard <cm...@gmail.com> on 2014/08/01 19:23:34 UTC
remotely loaded pages
I've been getting occasional questions about users trying to use remotely-loaded (non-local) HTML pages with Cordova (in the webview, not InAppBrowser), and still expecting to have access to the plugin APIs (camera is a popular one). My response so far is: "This is an unsupported configuration, because Cordova was not designed for this and the community does no testing of this configuration. While it can work in some circumstances, it is not recommended nor supported."
My definition of "unsupported" is not that it is incapable, but that we don't claim that it is supposed to work, and more importantly, we won't actively fix user-submitted defects on this topic.
The main concern I have on this is same origin policy, and matching the remotely-served cordova.js with the locally-installed native Cordova platform to avoid version mismatch.
Do you think I'm out in-the-weeds on this, or do you agree?
If you agree, what would you think of a blurb in cordova-docs somewhere that captures this gist?
Thanks for your feedback!
Re: remotely loaded pages
Posted by Carlos Santana <cs...@gmail.com>.
+1 Service Worker in the future roadmap
On Wed, Sep 3, 2014 at 6:21 PM, Chuck Lantz <cl...@microsoft.com> wrote:
> Makes sense given appcache's issues. As appropriate, appcache could be
> used as a part of a polyfill plugin (say managed by calling .update
> directly) where appropriate (particularly if it's part of the packaging
> mechanism on the platform).
>
> -Chuck
>
> -----Original Message-----
> From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of
> Brian LeRoux
> Sent: Wednesday, September 3, 2014 2:59 PM
> To: dev@cordova.apache.org
> Subject: Re: remotely loaded pages
>
> yea, agreed, tho I think Service Worker will be the spec we
> track/implement if necessary
>
>
>
> On Wed, Sep 3, 2014 at 2:49 PM, Chuck Lantz <cl...@microsoft.com> wrote:
>
> > Got it. I know it can be used with Windows apps so I incorrectly
> > jumped to a conclusion (though there are restrictions there around
> > HTTPS being required). I misinterpreted the spellcaster comment about
> > saving to the "application cache" to be the appcache. I definitely
> > think this is of interest in enterprise scenarios at a minimum.
> >
> > -Chuck
> >
> > -----Original Message-----
> > From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf
> > Of Brian LeRoux
> > Sent: Wednesday, September 3, 2014 2:35 PM
> > To: dev@cordova.apache.org
> > Subject: Re: remotely loaded pages
> >
> > there is no appcache in webview based apps…unless we implement it as a
> > plugin (which we won't b/c appcache is a sort of terrible spec)
> >
> >
> >
> >
> > On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz <cl...@microsoft.com>
> wrote:
> >
> > > Out of curiosity, for production use where you presumably want
> > > people to take the updates (say because you don't want to keep your
> > > web service back-end supporting older versions of your app),
> > > wouldn't simply using an offline appcache with a hosted source
> > > achieve some of the same goals? At a certain point I suppose you
> > > hit size limits if you update all of your app content - iOS maxes out
> at 10mb I think.
> > >
> > > -Chuck
> > >
> > > -----Original Message-----
> > > From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On
> > > Behalf Of Brian LeRoux
> > > Sent: Thursday, August 21, 2014 12:15 PM
> > > To: dev@cordova.apache.org
> > > Subject: Re: remotely loaded pages
> > >
> > > No apologies! It definitely *is* for dev authoring workflow
> > > currently …but given the #'s I think it could be suitable for
> > > production runtime. (Sorry I wasn't clear on that.)
> > >
> > >
> > > On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
> > >
> > > > >
> > > > > I wonder how it solves the problems of serving the correct
> > > > > version of cordova.js and cordova_plugin.js depending on the
> > > > > version of the native code that is installed on the different
> > > > > versions of the mobile App in production.
> > > >
> > > >
> > > > When you connect to the IP that's being served by
> > > > connect-phonegap, the client will send its device.version and
> > > > device.platform to the server. On the server's side, there's a res
> > > > folder within connect-phonegap with all the various version and
> > > > platforms of the cordova.js, cordova_plugins.js and plugins/.
> > > >
> > > >
> > > > On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com>
> wrote:
> > > >
> > > > > Sorry Brian, I thought it was a development time tool to allow
> > > > > for fast development cycle associated with PhoneGap Developer App.
> > > > >
> > > > > I guess they can use it and run the connect-phonegap in a
> > > > > production node-js backend system, I wonder how it solves the
> > > > > problems of serving
> > > > the
> > > > > correct version of cordova.js and cordova_plugin.js depending on
> > > > > the version of the native code that is installed on the
> > > > > different versions of the mobile App in production.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> > > > >
> > > > > > totally, though connect-phonegap *could* be considered
> > > > > > production
> > > > worthy
> > > > > > (it is being used significantly by the pg downstream
> > > > > > community)
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > > > > <csantana23@gmail.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Brain I think that's OK at development time everything is
> > > > > > > fair game
> > > > :-)
> > > > > > >
> > > > > > > The problem is developers doing stupid things like loading a
> > > > cordova.js
> > > > > > > from a place they don't know for a in production app being
> > > > > > > used by
> > > > end
> > > > > > > users, that's just kamikaze
> > > > > > >
> > > > > > > That's OK if they want to shoot themselves in the foot, but
> > > > > > > then
> > > > don't
> > > > > > come
> > > > > > > crying to JIRA claiming that is a problem with Cordova project.
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io>
> > wrote:
> > > > > > >
> > > > > > > > phonegap-connect serves up remote cordova.js (negotiates
> > > > > > > > the
> > > > > requestor
> > > > > > to
> > > > > > > > send the right file)
> > > > > > > >
> > > > > > > > no deaths yet!
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > https://github.com/phonegap/connect-phonegap/blob/master/lib/middl
> > > > ew
> > > > ar
> > > > e/cordova/cordova.js#L29
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > > > > <aogilvie@wizcorp.jp
> > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > That's a good difference to point out.
> > > > > > > > >
> > > > > > > > > >My personal position is that scenarios where developer
> > > > > > > > > >is in
> > > > > control
> > > > > > > and
> > > > > > > > > >loaded locally (i.e. directupdate, appmobi,
> > > > > > > > > >spellcaster) is a
> > > > > valid
> > > > > > > > > >scenario for Cordova
> > > > > > > > >
> > > > > > > > > I agree, because as cordova.js and cordovaLib are
> > > > > > > > > version linked,
> > > > > it
> > > > > > > > makes
> > > > > > > > > sense that once an index.html is pulled in, it's
> > > > > > > > > cordova.js to
> > > > load
> > > > > > is
> > > > > > > > > already in the client application.
> > > > > > > > > Loading an external cordova.js would be suicidal. So we
> > > > > > > > > save the
> > > > > file
> > > > > > > > > locally to write into it's <HEAD> our known path to
> > > > > > > > > codova.js
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > > > > csantana23@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > I want to make clarification there is a notable
> > > > > > > > > > difference
> > > > > between
> > > > > > > > > loading
> > > > > > > > > > a remotely-loaded *(non-local) *HTML pages with
> > > > > > > > > > Cordova vs. a
> > > > > > > > downloaded
> > > > > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > > > > >
> > > > > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6
> > > > .2
> > > > .0
> > > >
> /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> > > > html?locale=en
> > > > > > > > > >
> > > > > > > > > > The scenario is a download and local load of
> html/cordova.
> > > > > Similar
> > > > > > > > > scenario
> > > > > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > > > > control from app developer of the
> > > > code
> > > > > > > being
> > > > > > > > > > loaded.
> > > > > > > > > >
> > > > > > > > > > What Marcel is asking is a *non-local* load of
> > > > > > > > > > arbitrary
> > > > > html/code
> > > > > > > not
> > > > > > > > > > control by developer, developer loading a free html
> > > > > > > > > > page own
> > > > > > someone
> > > > > > > > else
> > > > > > > > > > and doing kind of a "document.location.replace('
> > > > > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > > > > >
> > > > > > > > > > My personal position is that scenarios where developer
> > > > > > > > > > is in
> > > > > > control
> > > > > > > > and
> > > > > > > > > > loaded locally (i.e. directupdate, appmobi,
> > > > > > > > > > spellcaster) is a
> > > > > valid
> > > > > > > > > > scenario for Cordova. loading a random cordova.js
> > > > > > > > > > directly
> > > > from a
> > > > > > > > > non-local
> > > > > > > > > > random place not guarantee to be supported.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > > > > <b...@brian.io>
> > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > > > > consider
> > > > such
> > > > > > > > > > > functionality as 'core'. Could dovetail w/
> Serviceworker.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > > > > agrieve@chromium.org
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I think this is a very desired plugin that many
> > > > > > > > > > > > end up
> > > > > > > re-writing,
> > > > > > > > > and
> > > > > > > > > > > it's
> > > > > > > > > > > > far better than setting the content src directly
> > > > > > > > > > > > to a
> > > > remote
> > > > > > URL.
> > > > > > > > > > > >
> > > > > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > > > > mmocny@chromium.org
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Make it available Ally, of course that sounds
> > > > interesting!
> > > > > > > > > > > > >
> > > > > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > > > > improvements
> > > > too.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > > > > aogilvie@wizcorp.jp
> > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > > > > game is
> > > > > > served
> > > > > > > > to
> > > > > > > > > > the
> > > > > > > > > > > > > client
> > > > > > > > > > > > > > (requires no .html in the application) we have
> > > > > > > > > > > > > > a tool
> > > > > > called
> > > > > > > > > > > > > "spellcaster".
> > > > > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > > > > localisation
> > > > > and
> > > > > > > > > Cordova
> > > > > > > > > > > > code
> > > > > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > One simply adds an application URL to
> > > > > > > > > > > > > > Cordova's
> > > > > config.xml
> > > > > > in
> > > > > > > > > > > <content
> > > > > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - Spellcaster will check for an active
> > > > > > > > > > > > > > internet
> > > > > connection.
> > > > > > > If
> > > > > > > > > one
> > > > > > > > > > is
> > > > > > > > > > > > not
> > > > > > > > > > > > > > found Spellcaster will continue retrying at a
> > > > > > > > > > > > > > set
> > > > > interval.
> > > > > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > > > > provided
> > > > > > > application
> > > > > > > > > URL
> > > > > > > > > > > and
> > > > > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > > > > existing
> > > > > > loader).
> > > > > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > > > > after
> > > > the
> > > > > > > <head>
> > > > > > > > > > tag.
> > > > > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > > > > WebView
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > > > > could
> > > > have
> > > > > > > this
> > > > > > > > > code
> > > > > > > > > > > > made
> > > > > > > > > > > > > > public it just needs a public sanitise check.
> > > > Spellcaster
> > > > > > > > > supports
> > > > > > > > > > > iOS
> > > > > > > > > > > > > and
> > > > > > > > > > > > > > Android.
> > > > > > > > > > > > > > For iOS it requires 1 line of code to be added
> > > > > > > > > > > > > > to didFinishLaunchingWithOptions.
> > > > > > > > > > > > > > For Android it requires these overrides in
> > onCreate:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > @Override
> > > > > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > > > > super.init();
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > @Override
> > > > > > > > > > > > > > public void init() { Spellcaster spellcaster =
> > > > > > > > > > > > > > new Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > @Override
> > > > > > > > > > > > > > public void
> > > > > > > > > > > > > > init(org.apache.cordova.CordovaWebView
> > > > > webView,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > > > > webViewClient,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > > > > webChromeClient)
> > > > > > > > > > > {
> > > > > > > > > > > > > > super.init(webView, webViewClient,
> > > > webChromeClient);
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > > > > spellcaster.init(this,
> > > > > > > > > > > > > > Config.getStartUrl(),
> > > > > webView);
> > > > > > > > > > > > > > ...
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage
> > > > > > > > > > > > > > <
> > > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > > >
> > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > It is great design for development, and
> netflix.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > > > > mhweiner234@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > It's technically possible, and even
> > > > > > > > > > > > > > > > (arguably)
> > > > legal
> > > > > > > > > according
> > > > > > > > > > to
> > > > > > > > > > > > > > Apple's
> > > > > > > > > > > > > > > > documentation, depending on the nature of
> > > > > > > > > > > > > > > > the code
> > > > > and
> > > > > > > how
> > > > > > > > > it's
> > > > > > > > > > > > > > > implemented:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > > > > install
> > > > > > > executable
> > > > > > > > > > code.
> > > > > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > > > > Application
> > > > > if
> > > > > > > all
> > > > > > > > > > > scripts,
> > > > > > > > > > > > > > code
> > > > > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > > > > Application
> > > > and
> > > > > > not
> > > > > > > > > > > > downloaded.
> > > > > > > > > > > > > > The
> > > > > > > > > > > > > > > > only exception to the foregoing is scripts
> > > > > > > > > > > > > > > > and code
> > > > > > > > > downloaded
> > > > > > > > > > > and
> > > > > > > > > > > > > run
> > > > > > > > > > > > > > by
> > > > > > > > > > > > > > > > Apple's built-in WebKit framework,
> > > > > > > > > > > > > > > > provided that
> > > > such
> > > > > > > > scripts
> > > > > > > > > > and
> > > > > > > > > > > > > code
> > > > > > > > > > > > > > do
> > > > > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > > > > Application
> > > > by
> > > > > > > > > providing
> > > > > > > > > > > > > features
> > > > > > > > > > > > > > > or
> > > > > > > > > > > > > > > > functionality that are inconsistent with
> > > > > > > > > > > > > > > > the
> > > > intended
> > > > > > and
> > > > > > > > > > > > advertised
> > > > > > > > > > > > > > > > purpose of the Application as submitted to
> > > > > > > > > > > > > > > > the App
> > > > > > Store.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > > > > coming
> > > > > from
> > > > > > a
> > > > > > > > > server
> > > > > > > > > > > > that
> > > > > > > > > > > > > > you
> > > > > > > > > > > > > > > > control, and if you are able to control
> > > > > > > > > > > > > > > > what code
> > > > is
> > > > > > > > getting
> > > > > > > > > > > > > executed.
> > > > > > > > > > > > > > > > Loading in 3rd party, unverified scripts
> > > > > > > > > > > > > > > > into your
> > > > > > > Cordova
> > > > > > > > > view
> > > > > > > > > > > is
> > > > > > > > > > > > a
> > > > > > > > > > > > > > big
> > > > > > > > > > > > > > > > "no-no" for security reasons, and could
> > > > > > > > > > > > > > > > get your
> > > > app
> > > > > > > > delisted
> > > > > > > > > > (or
> > > > > > > > > > > > > > > rejected).
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > > > > topic,
> > > > I'd
> > > > > > be
> > > > > > > > > > > interested
> > > > > > > > > > > > > in
> > > > > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Marc
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor
> > > > > > > > > > > > > > > >> Sosa <
> > > > > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >> While what you are saying about the
> > > > > > > > > > > > > > > >> policies
> > > > stores
> > > > > is
> > > > > > > > true,
> > > > > > > > > > > this
> > > > > > > > > > > > > > > applies
> > > > > > > > > > > > > > > >> to public stores only (as far as I can
> tell).
> > > > > > > > > > > > > > > >> For
> > > > > > > > on-premise
> > > > > > > > > > app
> > > > > > > > > > > > > > stores
> > > > > > > > > > > > > > > >> this might be false because each store
> > > > > > > > > > > > > > > >> owner need
> > > > to
> > > > > > set
> > > > > > > > and
> > > > > > > > > > > apply
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > > > > >> horrible
> > > > > > > results
> > > > > > > > > due
> > > > > > > > > > > to a
> > > > > > > > > > > > > bad
> > > > > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >> I concur with everyone, it is possible
> > > > > > > > > > > > > > > >> but awful
> > > > > > design
> > > > > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão"
> > > > > > > > > > > > > > > >> < frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > > > > >>> moment,
> > > > > but I
> > > > > > > > > > remember
> > > > > > > > > > > > > seeing
> > > > > > > > > > > > > > > in
> > > > > > > > > > > > > > > >>> more than one application store last
> > > > > > > > > > > > > > > >>> year
> > > > policies
> > > > > > > being
> > > > > > > > > > > changed
> > > > > > > > > > > > to
> > > > > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > > > > >>> application
> > > > > > > on-demand.
> > > > > > > > > Such
> > > > > > > > > > > > rules
> > > > > > > > > > > > > > > >> *could*
> > > > > > > > > > > > > > > >>> as well be applied to Cordova apps that
> > > > > > > > > > > > > > > >>> load
> > > > remote
> > > > > > > > content
> > > > > > > > > > > > > > considered
> > > > > > > > > > > > > > > as
> > > > > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not
> > > > > > > > > > > > > > > >>> only a
> > > > > > security
> > > > > > > > > > concern
> > > > > > > > > > > > per
> > > > > > > > > > > > > > se,
> > > > > > > > > > > > > > > >> but
> > > > > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > > > > >>> (which
> > > > > were
> > > > > > > > > > obviously
> > > > > > > > > > > > > > created
> > > > > > > > > > > > > > > >> for
> > > > > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > > > > >>> providing the
> > > > > > right
> > > > > > > > > > > > cordova.js
> > > > > > > > > > > > > > > >> version
> > > > > > > > > > > > > > > >>> from the remote server not really
> > > > > > > > > > > > > > > >>> knowing where
> > > > the
> > > > > > > > request
> > > > > > > > > > > came
> > > > > > > > > > > > > > from.
> > > > > > > > > > > > > > > >>> However, it's good to note too that
> > > > > > > > > > > > > > > >>> aside
> > > > Phonegap
> > > > > > > > > Developer
> > > > > > > > > > > App,
> > > > > > > > > > > > > > there
> > > > > > > > > > > > > > > >> is
> > > > > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > > > > >>> same
> > > > thing
> > > > > > as
> > > > > > > a
> > > > > > > > > side
> > > > > > > > > > > > > service
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > >>> Phonegap Build. I don't know if they've
> > > > > > > > > > > > > > > >>> come into
> > > > > any
> > > > > > > of
> > > > > > > > > the
> > > > > > > > > > > > issues
> > > > > > > > > > > > > > > >>> mentioned, and I haven't even heard of
> > > > > > > > > > > > > > > >>> it being
> > > > > used
> > > > > > in
> > > > > > > > > > > > production.
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage
> > > > > > > > > > > > > > > >>> <
> > > > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > > > >:
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>> I agree with all your statements Marcel.
> > > > > > > > > > > > > > > >>>> I use
> > > > > this
> > > > > > > > > approach
> > > > > > > > > > > > > > > frequently
> > > > > > > > > > > > > > > >>> in
> > > > > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > > > > >>>> Ultimately App Store policies decide
> > > > > > > > > > > > > > > >>>> what can
> > > > and
> > > > > > > cannot
> > > > > > > > > be
> > > > > > > > > > > > done.
> > > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > > >>>> Regarding security, there is nothing I
> > > > > > > > > > > > > > > >>>> can do
> > > > > with a
> > > > > > > > > remote
> > > > > > > > > > > page
> > > > > > > > > > > > > > that
> > > > > > > > > > > > > > > I
> > > > > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > > > > >>>> issue of
> > > > > > > trust.
> > > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > > > > shazron@gmail.com>
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > > >>>>> I agree that it is not recommended,
> > > > > > > > > > > > > > > >>>>> but it's
> > > > > > > possible.
> > > > > > > > I
> > > > > > > > > > > delved
> > > > > > > > > > > > > > into
> > > > > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > > > > >>>>>
> > > > > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > > >>>>> The PhoneGap Developer App is an
> > > > > > > > > > > > > > > >>>>> example of how
> > > > > > this
> > > > > > > is
> > > > > > > > > > > working
> > > > > > > > > > > > > at
> > > > > > > > > > > > > > > >>>>> http://app.phonegap.com but they do
> > > > > > > > > > > > > > > >>>>> some
> > > > > proxying
> > > > > > to
> > > > > > > > get
> > > > > > > > > > > > around
> > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM,
> > > > > > > > > > > > > > > >>>>>> Marcel
> > > > Kinard <
> > > > > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > > > > >>>>>> I've been getting occasional
> > > > > > > > > > > > > > > >>>>>> questions about
> > > > > users
> > > > > > > > > trying
> > > > > > > > > > to
> > > > > > > > > > > > use
> > > > > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages
> > > > > > > > > > > > > > > >>>> with
> > > > > Cordova
> > > > > > > (in
> > > > > > > > > the
> > > > > > > > > > > > > webview,
> > > > > > > > > > > > > > > >> not
> > > > > > > > > > > > > > > >>>> InAppBrowser), and still expecting to
> > > > > > > > > > > > > > > >>>> have
> > > > access
> > > > > to
> > > > > > > the
> > > > > > > > > > > plugin
> > > > > > > > > > > > > APIs
> > > > > > > > > > > > > > > >>>> (camera is a popular one). My response
> > > > > > > > > > > > > > > >>>> so far
> > > > is:
> > > > > > > "This
> > > > > > > > is
> > > > > > > > > > an
> > > > > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > > > > >>>> designed
> > > > > for
> > > > > > > this
> > > > > > > > > and
> > > > > > > > > > > the
> > > > > > > > > > > > > > > >>> community
> > > > > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > > > > >>>> While it
> > > > > can
> > > > > > > work
> > > > > > > > > in
> > > > > > > > > > > some
> > > > > > > > > > > > > > > >>>> circumstances, it is not recommended
> > > > > > > > > > > > > > > >>>> nor
> > > > > supported."
> > > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > > > > >>>>>> that it
> > > > is
> > > > > > > > > > incapable,
> > > > > > > > > > > > but
> > > > > > > > > > > > > > that
> > > > > > > > > > > > > > > >>> we
> > > > > > > > > > > > > > > >>>> don't claim that it is supposed to
> > > > > > > > > > > > > > > >>>> work, and
> > > > more
> > > > > > > > > > importantly,
> > > > > > > > > > > > we
> > > > > > > > > > > > > > > won't
> > > > > > > > > > > > > > > >>>> actively fix user-submitted defects on
> > > > > > > > > > > > > > > >>>> this
> > > > topic.
> > > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > > >>>>>> The main concern I have on this is
> > > > > > > > > > > > > > > >>>>>> same origin
> > > > > > > policy,
> > > > > > > > > and
> > > > > > > > > > > > > > matching
> > > > > > > > > > > > > > > >>> the
> > > > > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > > > > locally-installed
> > > > > > > > > native
> > > > > > > > > > > > > Cordova
> > > > > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > > > > >>>>>> this, or
> > > > do
> > > > > > you
> > > > > > > > > > agree?
> > > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > > >>>>>> If you agree, what would you think of
> > > > > > > > > > > > > > > >>>>>> a blurb
> > > > in
> > > > > > > > > > > cordova-docs
> > > > > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> --
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> > > > |
> > > > > > > > Website
> > > > > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > > > > https://twitter.com/Wizcorp>
> > > > > > > > > |
> > > > > > > > > > > > > > Facebook
> > > > > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Carlos Santana
> > > > > > > > > > <cs...@gmail.com>
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > OPEN-SOURCE
> > > > > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > > > > <https://twitter.com/Wizcorp>
> > > > |
> > > > > > > > > Facebook
> > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Carlos Santana
> > > > > > > <cs...@gmail.com>
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Carlos Santana
> > > > > <cs...@gmail.com>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Timothy Kim
> > > >
> > >
> >
>
--
Carlos Santana
<cs...@gmail.com>
RE: remotely loaded pages
Posted by Chuck Lantz <cl...@microsoft.com>.
Makes sense given appcache's issues. As appropriate, appcache could be used as a part of a polyfill plugin (say managed by calling .update directly) where appropriate (particularly if it's part of the packaging mechanism on the platform).
-Chuck
-----Original Message-----
From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of Brian LeRoux
Sent: Wednesday, September 3, 2014 2:59 PM
To: dev@cordova.apache.org
Subject: Re: remotely loaded pages
yea, agreed, tho I think Service Worker will be the spec we track/implement if necessary
On Wed, Sep 3, 2014 at 2:49 PM, Chuck Lantz <cl...@microsoft.com> wrote:
> Got it. I know it can be used with Windows apps so I incorrectly
> jumped to a conclusion (though there are restrictions there around
> HTTPS being required). I misinterpreted the spellcaster comment about
> saving to the "application cache" to be the appcache. I definitely
> think this is of interest in enterprise scenarios at a minimum.
>
> -Chuck
>
> -----Original Message-----
> From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf
> Of Brian LeRoux
> Sent: Wednesday, September 3, 2014 2:35 PM
> To: dev@cordova.apache.org
> Subject: Re: remotely loaded pages
>
> there is no appcache in webview based apps…unless we implement it as a
> plugin (which we won't b/c appcache is a sort of terrible spec)
>
>
>
>
> On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz <cl...@microsoft.com> wrote:
>
> > Out of curiosity, for production use where you presumably want
> > people to take the updates (say because you don't want to keep your
> > web service back-end supporting older versions of your app),
> > wouldn't simply using an offline appcache with a hosted source
> > achieve some of the same goals? At a certain point I suppose you
> > hit size limits if you update all of your app content - iOS maxes out at 10mb I think.
> >
> > -Chuck
> >
> > -----Original Message-----
> > From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On
> > Behalf Of Brian LeRoux
> > Sent: Thursday, August 21, 2014 12:15 PM
> > To: dev@cordova.apache.org
> > Subject: Re: remotely loaded pages
> >
> > No apologies! It definitely *is* for dev authoring workflow
> > currently …but given the #'s I think it could be suitable for
> > production runtime. (Sorry I wasn't clear on that.)
> >
> >
> > On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
> >
> > > >
> > > > I wonder how it solves the problems of serving the correct
> > > > version of cordova.js and cordova_plugin.js depending on the
> > > > version of the native code that is installed on the different
> > > > versions of the mobile App in production.
> > >
> > >
> > > When you connect to the IP that's being served by
> > > connect-phonegap, the client will send its device.version and
> > > device.platform to the server. On the server's side, there's a res
> > > folder within connect-phonegap with all the various version and
> > > platforms of the cordova.js, cordova_plugins.js and plugins/.
> > >
> > >
> > > On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
> > >
> > > > Sorry Brian, I thought it was a development time tool to allow
> > > > for fast development cycle associated with PhoneGap Developer App.
> > > >
> > > > I guess they can use it and run the connect-phonegap in a
> > > > production node-js backend system, I wonder how it solves the
> > > > problems of serving
> > > the
> > > > correct version of cordova.js and cordova_plugin.js depending on
> > > > the version of the native code that is installed on the
> > > > different versions of the mobile App in production.
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> > > >
> > > > > totally, though connect-phonegap *could* be considered
> > > > > production
> > > worthy
> > > > > (it is being used significantly by the pg downstream
> > > > > community)
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > > > <csantana23@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Brain I think that's OK at development time everything is
> > > > > > fair game
> > > :-)
> > > > > >
> > > > > > The problem is developers doing stupid things like loading a
> > > cordova.js
> > > > > > from a place they don't know for a in production app being
> > > > > > used by
> > > end
> > > > > > users, that's just kamikaze
> > > > > >
> > > > > > That's OK if they want to shoot themselves in the foot, but
> > > > > > then
> > > don't
> > > > > come
> > > > > > crying to JIRA claiming that is a problem with Cordova project.
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io>
> wrote:
> > > > > >
> > > > > > > phonegap-connect serves up remote cordova.js (negotiates
> > > > > > > the
> > > > requestor
> > > > > to
> > > > > > > send the right file)
> > > > > > >
> > > > > > > no deaths yet!
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > https://github.com/phonegap/connect-phonegap/blob/master/lib/middl
> > > ew
> > > ar
> > > e/cordova/cordova.js#L29
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > > > <aogilvie@wizcorp.jp
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > > > That's a good difference to point out.
> > > > > > > >
> > > > > > > > >My personal position is that scenarios where developer
> > > > > > > > >is in
> > > > control
> > > > > > and
> > > > > > > > >loaded locally (i.e. directupdate, appmobi,
> > > > > > > > >spellcaster) is a
> > > > valid
> > > > > > > > >scenario for Cordova
> > > > > > > >
> > > > > > > > I agree, because as cordova.js and cordovaLib are
> > > > > > > > version linked,
> > > > it
> > > > > > > makes
> > > > > > > > sense that once an index.html is pulled in, it's
> > > > > > > > cordova.js to
> > > load
> > > > > is
> > > > > > > > already in the client application.
> > > > > > > > Loading an external cordova.js would be suicidal. So we
> > > > > > > > save the
> > > > file
> > > > > > > > locally to write into it's <HEAD> our known path to
> > > > > > > > codova.js
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > > > csantana23@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I want to make clarification there is a notable
> > > > > > > > > difference
> > > > between
> > > > > > > > loading
> > > > > > > > > a remotely-loaded *(non-local) *HTML pages with
> > > > > > > > > Cordova vs. a
> > > > > > > downloaded
> > > > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > > > >
> > > > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6
> > > .2
> > > .0
> > > /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> > > html?locale=en
> > > > > > > > >
> > > > > > > > > The scenario is a download and local load of html/cordova.
> > > > Similar
> > > > > > > > scenario
> > > > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > > > control from app developer of the
> > > code
> > > > > > being
> > > > > > > > > loaded.
> > > > > > > > >
> > > > > > > > > What Marcel is asking is a *non-local* load of
> > > > > > > > > arbitrary
> > > > html/code
> > > > > > not
> > > > > > > > > control by developer, developer loading a free html
> > > > > > > > > page own
> > > > > someone
> > > > > > > else
> > > > > > > > > and doing kind of a "document.location.replace('
> > > > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > > > >
> > > > > > > > > My personal position is that scenarios where developer
> > > > > > > > > is in
> > > > > control
> > > > > > > and
> > > > > > > > > loaded locally (i.e. directupdate, appmobi,
> > > > > > > > > spellcaster) is a
> > > > valid
> > > > > > > > > scenario for Cordova. loading a random cordova.js
> > > > > > > > > directly
> > > from a
> > > > > > > > non-local
> > > > > > > > > random place not guarantee to be supported.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > > > <b...@brian.io>
> > > > wrote:
> > > > > > > > >
> > > > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > > > consider
> > > such
> > > > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > > > agrieve@chromium.org
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > I think this is a very desired plugin that many
> > > > > > > > > > > end up
> > > > > > re-writing,
> > > > > > > > and
> > > > > > > > > > it's
> > > > > > > > > > > far better than setting the content src directly
> > > > > > > > > > > to a
> > > remote
> > > > > URL.
> > > > > > > > > > >
> > > > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > > > mmocny@chromium.org
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Make it available Ally, of course that sounds
> > > interesting!
> > > > > > > > > > > >
> > > > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > > > improvements
> > > too.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > > > aogilvie@wizcorp.jp
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > > > >
> > > > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > > > game is
> > > > > served
> > > > > > > to
> > > > > > > > > the
> > > > > > > > > > > > client
> > > > > > > > > > > > > (requires no .html in the application) we have
> > > > > > > > > > > > > a tool
> > > > > called
> > > > > > > > > > > > "spellcaster".
> > > > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > > > localisation
> > > > and
> > > > > > > > Cordova
> > > > > > > > > > > code
> > > > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > > > >
> > > > > > > > > > > > > One simply adds an application URL to
> > > > > > > > > > > > > Cordova's
> > > > config.xml
> > > > > in
> > > > > > > > > > <content
> > > > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > > > >
> > > > > > > > > > > > > - Spellcaster will check for an active
> > > > > > > > > > > > > internet
> > > > connection.
> > > > > > If
> > > > > > > > one
> > > > > > > > > is
> > > > > > > > > > > not
> > > > > > > > > > > > > found Spellcaster will continue retrying at a
> > > > > > > > > > > > > set
> > > > interval.
> > > > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > > > provided
> > > > > > application
> > > > > > > > URL
> > > > > > > > > > and
> > > > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > > > existing
> > > > > loader).
> > > > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > > > after
> > > the
> > > > > > <head>
> > > > > > > > > tag.
> > > > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > > > WebView
> > > > > > > > > > > > >
> > > > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > > > could
> > > have
> > > > > > this
> > > > > > > > code
> > > > > > > > > > > made
> > > > > > > > > > > > > public it just needs a public sanitise check.
> > > Spellcaster
> > > > > > > > supports
> > > > > > > > > > iOS
> > > > > > > > > > > > and
> > > > > > > > > > > > > Android.
> > > > > > > > > > > > > For iOS it requires 1 line of code to be added
> > > > > > > > > > > > > to didFinishLaunchingWithOptions.
> > > > > > > > > > > > > For Android it requires these overrides in
> onCreate:
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > > > super.init();
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void init() { Spellcaster spellcaster =
> > > > > > > > > > > > > new Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void
> > > > > > > > > > > > > init(org.apache.cordova.CordovaWebView
> > > > webView,
> > > > > > > > > > > > >
> > > > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > > > webViewClient,
> > > > > > > > > > > > >
> > > > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > > > webChromeClient)
> > > > > > > > > > {
> > > > > > > > > > > > > super.init(webView, webViewClient,
> > > webChromeClient);
> > > > > > > > > > > > >
> > > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > > > spellcaster.init(this,
> > > > > > > > > > > > > Config.getStartUrl(),
> > > > webView);
> > > > > > > > > > > > > ...
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage
> > > > > > > > > > > > > <
> > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > > > mhweiner234@gmail.com
> > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > It's technically possible, and even
> > > > > > > > > > > > > > > (arguably)
> > > legal
> > > > > > > > according
> > > > > > > > > to
> > > > > > > > > > > > > Apple's
> > > > > > > > > > > > > > > documentation, depending on the nature of
> > > > > > > > > > > > > > > the code
> > > > and
> > > > > > how
> > > > > > > > it's
> > > > > > > > > > > > > > implemented:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > > > install
> > > > > > executable
> > > > > > > > > code.
> > > > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > > > Application
> > > > if
> > > > > > all
> > > > > > > > > > scripts,
> > > > > > > > > > > > > code
> > > > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > > > Application
> > > and
> > > > > not
> > > > > > > > > > > downloaded.
> > > > > > > > > > > > > The
> > > > > > > > > > > > > > > only exception to the foregoing is scripts
> > > > > > > > > > > > > > > and code
> > > > > > > > downloaded
> > > > > > > > > > and
> > > > > > > > > > > > run
> > > > > > > > > > > > > by
> > > > > > > > > > > > > > > Apple's built-in WebKit framework,
> > > > > > > > > > > > > > > provided that
> > > such
> > > > > > > scripts
> > > > > > > > > and
> > > > > > > > > > > > code
> > > > > > > > > > > > > do
> > > > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > > > Application
> > > by
> > > > > > > > providing
> > > > > > > > > > > > features
> > > > > > > > > > > > > > or
> > > > > > > > > > > > > > > functionality that are inconsistent with
> > > > > > > > > > > > > > > the
> > > intended
> > > > > and
> > > > > > > > > > > advertised
> > > > > > > > > > > > > > > purpose of the Application as submitted to
> > > > > > > > > > > > > > > the App
> > > > > Store.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > > > coming
> > > > from
> > > > > a
> > > > > > > > server
> > > > > > > > > > > that
> > > > > > > > > > > > > you
> > > > > > > > > > > > > > > control, and if you are able to control
> > > > > > > > > > > > > > > what code
> > > is
> > > > > > > getting
> > > > > > > > > > > > executed.
> > > > > > > > > > > > > > > Loading in 3rd party, unverified scripts
> > > > > > > > > > > > > > > into your
> > > > > > Cordova
> > > > > > > > view
> > > > > > > > > > is
> > > > > > > > > > > a
> > > > > > > > > > > > > big
> > > > > > > > > > > > > > > "no-no" for security reasons, and could
> > > > > > > > > > > > > > > get your
> > > app
> > > > > > > delisted
> > > > > > > > > (or
> > > > > > > > > > > > > > rejected).
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > > > topic,
> > > I'd
> > > > > be
> > > > > > > > > > interested
> > > > > > > > > > > > in
> > > > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Marc
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor
> > > > > > > > > > > > > > >> Sosa <
> > > > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > > > >
> > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> While what you are saying about the
> > > > > > > > > > > > > > >> policies
> > > stores
> > > > is
> > > > > > > true,
> > > > > > > > > > this
> > > > > > > > > > > > > > applies
> > > > > > > > > > > > > > >> to public stores only (as far as I can tell).
> > > > > > > > > > > > > > >> For
> > > > > > > on-premise
> > > > > > > > > app
> > > > > > > > > > > > > stores
> > > > > > > > > > > > > > >> this might be false because each store
> > > > > > > > > > > > > > >> owner need
> > > to
> > > > > set
> > > > > > > and
> > > > > > > > > > apply
> > > > > > > > > > > > the
> > > > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > > > >> horrible
> > > > > > results
> > > > > > > > due
> > > > > > > > > > to a
> > > > > > > > > > > > bad
> > > > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> I concur with everyone, it is possible
> > > > > > > > > > > > > > >> but awful
> > > > > design
> > > > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão"
> > > > > > > > > > > > > > >> < frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > > > >>> moment,
> > > > but I
> > > > > > > > > remember
> > > > > > > > > > > > seeing
> > > > > > > > > > > > > > in
> > > > > > > > > > > > > > >>> more than one application store last
> > > > > > > > > > > > > > >>> year
> > > policies
> > > > > > being
> > > > > > > > > > changed
> > > > > > > > > > > to
> > > > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > > > >>> application
> > > > > > on-demand.
> > > > > > > > Such
> > > > > > > > > > > rules
> > > > > > > > > > > > > > >> *could*
> > > > > > > > > > > > > > >>> as well be applied to Cordova apps that
> > > > > > > > > > > > > > >>> load
> > > remote
> > > > > > > content
> > > > > > > > > > > > > considered
> > > > > > > > > > > > > > as
> > > > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not
> > > > > > > > > > > > > > >>> only a
> > > > > security
> > > > > > > > > concern
> > > > > > > > > > > per
> > > > > > > > > > > > > se,
> > > > > > > > > > > > > > >> but
> > > > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > > > >>> (which
> > > > were
> > > > > > > > > obviously
> > > > > > > > > > > > > created
> > > > > > > > > > > > > > >> for
> > > > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > > > >>> providing the
> > > > > right
> > > > > > > > > > > cordova.js
> > > > > > > > > > > > > > >> version
> > > > > > > > > > > > > > >>> from the remote server not really
> > > > > > > > > > > > > > >>> knowing where
> > > the
> > > > > > > request
> > > > > > > > > > came
> > > > > > > > > > > > > from.
> > > > > > > > > > > > > > >>> However, it's good to note too that
> > > > > > > > > > > > > > >>> aside
> > > Phonegap
> > > > > > > > Developer
> > > > > > > > > > App,
> > > > > > > > > > > > > there
> > > > > > > > > > > > > > >> is
> > > > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > > > >>> same
> > > thing
> > > > > as
> > > > > > a
> > > > > > > > side
> > > > > > > > > > > > service
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > >>> Phonegap Build. I don't know if they've
> > > > > > > > > > > > > > >>> come into
> > > > any
> > > > > > of
> > > > > > > > the
> > > > > > > > > > > issues
> > > > > > > > > > > > > > >>> mentioned, and I haven't even heard of
> > > > > > > > > > > > > > >>> it being
> > > > used
> > > > > in
> > > > > > > > > > > production.
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage
> > > > > > > > > > > > > > >>> <
> > > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > > >:
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>> I agree with all your statements Marcel.
> > > > > > > > > > > > > > >>>> I use
> > > > this
> > > > > > > > approach
> > > > > > > > > > > > > > frequently
> > > > > > > > > > > > > > >>> in
> > > > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > > > >>>> Ultimately App Store policies decide
> > > > > > > > > > > > > > >>>> what can
> > > and
> > > > > > cannot
> > > > > > > > be
> > > > > > > > > > > done.
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>> Regarding security, there is nothing I
> > > > > > > > > > > > > > >>>> can do
> > > > with a
> > > > > > > > remote
> > > > > > > > > > page
> > > > > > > > > > > > > that
> > > > > > > > > > > > > > I
> > > > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > > > >>>> issue of
> > > > > > trust.
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > > > shazron@gmail.com>
> > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>> I agree that it is not recommended,
> > > > > > > > > > > > > > >>>>> but it's
> > > > > > possible.
> > > > > > > I
> > > > > > > > > > delved
> > > > > > > > > > > > > into
> > > > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > > > >>>>>
> > > > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>> The PhoneGap Developer App is an
> > > > > > > > > > > > > > >>>>> example of how
> > > > > this
> > > > > > is
> > > > > > > > > > working
> > > > > > > > > > > > at
> > > > > > > > > > > > > > >>>>> http://app.phonegap.com but they do
> > > > > > > > > > > > > > >>>>> some
> > > > proxying
> > > > > to
> > > > > > > get
> > > > > > > > > > > around
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM,
> > > > > > > > > > > > > > >>>>>> Marcel
> > > Kinard <
> > > > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > > > >>>>>> I've been getting occasional
> > > > > > > > > > > > > > >>>>>> questions about
> > > > users
> > > > > > > > trying
> > > > > > > > > to
> > > > > > > > > > > use
> > > > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages
> > > > > > > > > > > > > > >>>> with
> > > > Cordova
> > > > > > (in
> > > > > > > > the
> > > > > > > > > > > > webview,
> > > > > > > > > > > > > > >> not
> > > > > > > > > > > > > > >>>> InAppBrowser), and still expecting to
> > > > > > > > > > > > > > >>>> have
> > > access
> > > > to
> > > > > > the
> > > > > > > > > > plugin
> > > > > > > > > > > > APIs
> > > > > > > > > > > > > > >>>> (camera is a popular one). My response
> > > > > > > > > > > > > > >>>> so far
> > > is:
> > > > > > "This
> > > > > > > is
> > > > > > > > > an
> > > > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > > > >>>> designed
> > > > for
> > > > > > this
> > > > > > > > and
> > > > > > > > > > the
> > > > > > > > > > > > > > >>> community
> > > > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > > > >>>> While it
> > > > can
> > > > > > work
> > > > > > > > in
> > > > > > > > > > some
> > > > > > > > > > > > > > >>>> circumstances, it is not recommended
> > > > > > > > > > > > > > >>>> nor
> > > > supported."
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > > > >>>>>> that it
> > > is
> > > > > > > > > incapable,
> > > > > > > > > > > but
> > > > > > > > > > > > > that
> > > > > > > > > > > > > > >>> we
> > > > > > > > > > > > > > >>>> don't claim that it is supposed to
> > > > > > > > > > > > > > >>>> work, and
> > > more
> > > > > > > > > importantly,
> > > > > > > > > > > we
> > > > > > > > > > > > > > won't
> > > > > > > > > > > > > > >>>> actively fix user-submitted defects on
> > > > > > > > > > > > > > >>>> this
> > > topic.
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> The main concern I have on this is
> > > > > > > > > > > > > > >>>>>> same origin
> > > > > > policy,
> > > > > > > > and
> > > > > > > > > > > > > matching
> > > > > > > > > > > > > > >>> the
> > > > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > > > locally-installed
> > > > > > > > native
> > > > > > > > > > > > Cordova
> > > > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > > > >>>>>> this, or
> > > do
> > > > > you
> > > > > > > > > agree?
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> If you agree, what would you think of
> > > > > > > > > > > > > > >>>>>> a blurb
> > > in
> > > > > > > > > > cordova-docs
> > > > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> --
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> > > |
> > > > > > > Website
> > > > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > > > https://twitter.com/Wizcorp>
> > > > > > > > |
> > > > > > > > > > > > > Facebook
> > > > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Carlos Santana
> > > > > > > > > <cs...@gmail.com>
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > OPEN-SOURCE
> > > > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > > > <https://twitter.com/Wizcorp>
> > > |
> > > > > > > > Facebook
> > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Carlos Santana
> > > > > > <cs...@gmail.com>
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Carlos Santana
> > > > <cs...@gmail.com>
> > > >
> > >
> > >
> > >
> > > --
> > > Timothy Kim
> > >
> >
>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
yea, agreed, tho I think Service Worker will be the spec we track/implement
if necessary
On Wed, Sep 3, 2014 at 2:49 PM, Chuck Lantz <cl...@microsoft.com> wrote:
> Got it. I know it can be used with Windows apps so I incorrectly jumped to
> a conclusion (though there are restrictions there around HTTPS being
> required). I misinterpreted the spellcaster comment about saving to the
> "application cache" to be the appcache. I definitely think this is of
> interest in enterprise scenarios at a minimum.
>
> -Chuck
>
> -----Original Message-----
> From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of
> Brian LeRoux
> Sent: Wednesday, September 3, 2014 2:35 PM
> To: dev@cordova.apache.org
> Subject: Re: remotely loaded pages
>
> there is no appcache in webview based apps…unless we implement it as a
> plugin (which we won't b/c appcache is a sort of terrible spec)
>
>
>
>
> On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz <cl...@microsoft.com> wrote:
>
> > Out of curiosity, for production use where you presumably want people
> > to take the updates (say because you don't want to keep your web
> > service back-end supporting older versions of your app), wouldn't
> > simply using an offline appcache with a hosted source achieve some of
> > the same goals? At a certain point I suppose you hit size limits if
> > you update all of your app content - iOS maxes out at 10mb I think.
> >
> > -Chuck
> >
> > -----Original Message-----
> > From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf
> > Of Brian LeRoux
> > Sent: Thursday, August 21, 2014 12:15 PM
> > To: dev@cordova.apache.org
> > Subject: Re: remotely loaded pages
> >
> > No apologies! It definitely *is* for dev authoring workflow currently
> > …but given the #'s I think it could be suitable for production
> > runtime. (Sorry I wasn't clear on that.)
> >
> >
> > On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
> >
> > > >
> > > > I wonder how it solves the problems of serving the correct version
> > > > of cordova.js and cordova_plugin.js depending on the version of
> > > > the native code that is installed on the different versions of the
> > > > mobile App in production.
> > >
> > >
> > > When you connect to the IP that's being served by connect-phonegap,
> > > the client will send its device.version and device.platform to the
> > > server. On the server's side, there's a res folder within
> > > connect-phonegap with all the various version and platforms of the
> > > cordova.js, cordova_plugins.js and plugins/.
> > >
> > >
> > > On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
> > >
> > > > Sorry Brian, I thought it was a development time tool to allow for
> > > > fast development cycle associated with PhoneGap Developer App.
> > > >
> > > > I guess they can use it and run the connect-phonegap in a
> > > > production node-js backend system, I wonder how it solves the
> > > > problems of serving
> > > the
> > > > correct version of cordova.js and cordova_plugin.js depending on
> > > > the version of the native code that is installed on the different
> > > > versions of the mobile App in production.
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> > > >
> > > > > totally, though connect-phonegap *could* be considered
> > > > > production
> > > worthy
> > > > > (it is being used significantly by the pg downstream community)
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > > > <csantana23@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Brain I think that's OK at development time everything is fair
> > > > > > game
> > > :-)
> > > > > >
> > > > > > The problem is developers doing stupid things like loading a
> > > cordova.js
> > > > > > from a place they don't know for a in production app being
> > > > > > used by
> > > end
> > > > > > users, that's just kamikaze
> > > > > >
> > > > > > That's OK if they want to shoot themselves in the foot, but
> > > > > > then
> > > don't
> > > > > come
> > > > > > crying to JIRA claiming that is a problem with Cordova project.
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io>
> wrote:
> > > > > >
> > > > > > > phonegap-connect serves up remote cordova.js (negotiates the
> > > > requestor
> > > > > to
> > > > > > > send the right file)
> > > > > > >
> > > > > > > no deaths yet!
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > https://github.com/phonegap/connect-phonegap/blob/master/lib/middlew
> > > ar
> > > e/cordova/cordova.js#L29
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > > > <aogilvie@wizcorp.jp
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > > > That's a good difference to point out.
> > > > > > > >
> > > > > > > > >My personal position is that scenarios where developer is
> > > > > > > > >in
> > > > control
> > > > > > and
> > > > > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > > >is a
> > > > valid
> > > > > > > > >scenario for Cordova
> > > > > > > >
> > > > > > > > I agree, because as cordova.js and cordovaLib are version
> > > > > > > > linked,
> > > > it
> > > > > > > makes
> > > > > > > > sense that once an index.html is pulled in, it's
> > > > > > > > cordova.js to
> > > load
> > > > > is
> > > > > > > > already in the client application.
> > > > > > > > Loading an external cordova.js would be suicidal. So we
> > > > > > > > save the
> > > > file
> > > > > > > > locally to write into it's <HEAD> our known path to
> > > > > > > > codova.js
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > > > csantana23@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I want to make clarification there is a notable
> > > > > > > > > difference
> > > > between
> > > > > > > > loading
> > > > > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova
> > > > > > > > > vs. a
> > > > > > > downloaded
> > > > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > > > >
> > > > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2
> > > .0
> > > /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> > > html?locale=en
> > > > > > > > >
> > > > > > > > > The scenario is a download and local load of html/cordova.
> > > > Similar
> > > > > > > > scenario
> > > > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > > > control from app developer of the
> > > code
> > > > > > being
> > > > > > > > > loaded.
> > > > > > > > >
> > > > > > > > > What Marcel is asking is a *non-local* load of arbitrary
> > > > html/code
> > > > > > not
> > > > > > > > > control by developer, developer loading a free html page
> > > > > > > > > own
> > > > > someone
> > > > > > > else
> > > > > > > > > and doing kind of a "document.location.replace('
> > > > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > > > >
> > > > > > > > > My personal position is that scenarios where developer
> > > > > > > > > is in
> > > > > control
> > > > > > > and
> > > > > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > > > is a
> > > > valid
> > > > > > > > > scenario for Cordova. loading a random cordova.js
> > > > > > > > > directly
> > > from a
> > > > > > > > non-local
> > > > > > > > > random place not guarantee to be supported.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > > > <b...@brian.io>
> > > > wrote:
> > > > > > > > >
> > > > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > > > consider
> > > such
> > > > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > > > agrieve@chromium.org
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > I think this is a very desired plugin that many end
> > > > > > > > > > > up
> > > > > > re-writing,
> > > > > > > > and
> > > > > > > > > > it's
> > > > > > > > > > > far better than setting the content src directly to
> > > > > > > > > > > a
> > > remote
> > > > > URL.
> > > > > > > > > > >
> > > > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > > > mmocny@chromium.org
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Make it available Ally, of course that sounds
> > > interesting!
> > > > > > > > > > > >
> > > > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > > > improvements
> > > too.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > > > aogilvie@wizcorp.jp
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > > > >
> > > > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > > > game is
> > > > > served
> > > > > > > to
> > > > > > > > > the
> > > > > > > > > > > > client
> > > > > > > > > > > > > (requires no .html in the application) we have a
> > > > > > > > > > > > > tool
> > > > > called
> > > > > > > > > > > > "spellcaster".
> > > > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > > > localisation
> > > > and
> > > > > > > > Cordova
> > > > > > > > > > > code
> > > > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > > > >
> > > > > > > > > > > > > One simply adds an application URL to Cordova's
> > > > config.xml
> > > > > in
> > > > > > > > > > <content
> > > > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > > > >
> > > > > > > > > > > > > - Spellcaster will check for an active internet
> > > > connection.
> > > > > > If
> > > > > > > > one
> > > > > > > > > is
> > > > > > > > > > > not
> > > > > > > > > > > > > found Spellcaster will continue retrying at a
> > > > > > > > > > > > > set
> > > > interval.
> > > > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > > > provided
> > > > > > application
> > > > > > > > URL
> > > > > > > > > > and
> > > > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > > > existing
> > > > > loader).
> > > > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > > > after
> > > the
> > > > > > <head>
> > > > > > > > > tag.
> > > > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > > > WebView
> > > > > > > > > > > > >
> > > > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > > > could
> > > have
> > > > > > this
> > > > > > > > code
> > > > > > > > > > > made
> > > > > > > > > > > > > public it just needs a public sanitise check.
> > > Spellcaster
> > > > > > > > supports
> > > > > > > > > > iOS
> > > > > > > > > > > > and
> > > > > > > > > > > > > Android.
> > > > > > > > > > > > > For iOS it requires 1 line of code to be added
> > > > > > > > > > > > > to didFinishLaunchingWithOptions.
> > > > > > > > > > > > > For Android it requires these overrides in
> onCreate:
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > > > super.init();
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void init() { Spellcaster spellcaster =
> > > > > > > > > > > > > new Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > > > >
> > > > > > > > > > > > > @Override
> > > > > > > > > > > > > public void
> > > > > > > > > > > > > init(org.apache.cordova.CordovaWebView
> > > > webView,
> > > > > > > > > > > > >
> > > > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > > > webViewClient,
> > > > > > > > > > > > >
> > > > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > > > webChromeClient)
> > > > > > > > > > {
> > > > > > > > > > > > > super.init(webView, webViewClient,
> > > webChromeClient);
> > > > > > > > > > > > >
> > > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> > > > webView);
> > > > > > > > > > > > > ...
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > > > mhweiner234@gmail.com
> > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > It's technically possible, and even
> > > > > > > > > > > > > > > (arguably)
> > > legal
> > > > > > > > according
> > > > > > > > > to
> > > > > > > > > > > > > Apple's
> > > > > > > > > > > > > > > documentation, depending on the nature of
> > > > > > > > > > > > > > > the code
> > > > and
> > > > > > how
> > > > > > > > it's
> > > > > > > > > > > > > > implemented:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > > > install
> > > > > > executable
> > > > > > > > > code.
> > > > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > > > Application
> > > > if
> > > > > > all
> > > > > > > > > > scripts,
> > > > > > > > > > > > > code
> > > > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > > > Application
> > > and
> > > > > not
> > > > > > > > > > > downloaded.
> > > > > > > > > > > > > The
> > > > > > > > > > > > > > > only exception to the foregoing is scripts
> > > > > > > > > > > > > > > and code
> > > > > > > > downloaded
> > > > > > > > > > and
> > > > > > > > > > > > run
> > > > > > > > > > > > > by
> > > > > > > > > > > > > > > Apple's built-in WebKit framework, provided
> > > > > > > > > > > > > > > that
> > > such
> > > > > > > scripts
> > > > > > > > > and
> > > > > > > > > > > > code
> > > > > > > > > > > > > do
> > > > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > > > Application
> > > by
> > > > > > > > providing
> > > > > > > > > > > > features
> > > > > > > > > > > > > > or
> > > > > > > > > > > > > > > functionality that are inconsistent with the
> > > intended
> > > > > and
> > > > > > > > > > > advertised
> > > > > > > > > > > > > > > purpose of the Application as submitted to
> > > > > > > > > > > > > > > the App
> > > > > Store.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > > > coming
> > > > from
> > > > > a
> > > > > > > > server
> > > > > > > > > > > that
> > > > > > > > > > > > > you
> > > > > > > > > > > > > > > control, and if you are able to control what
> > > > > > > > > > > > > > > code
> > > is
> > > > > > > getting
> > > > > > > > > > > > executed.
> > > > > > > > > > > > > > > Loading in 3rd party, unverified scripts
> > > > > > > > > > > > > > > into your
> > > > > > Cordova
> > > > > > > > view
> > > > > > > > > > is
> > > > > > > > > > > a
> > > > > > > > > > > > > big
> > > > > > > > > > > > > > > "no-no" for security reasons, and could get
> > > > > > > > > > > > > > > your
> > > app
> > > > > > > delisted
> > > > > > > > > (or
> > > > > > > > > > > > > > rejected).
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > > > topic,
> > > I'd
> > > > > be
> > > > > > > > > > interested
> > > > > > > > > > > > in
> > > > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Marc
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa
> > > > > > > > > > > > > > >> <
> > > > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > > > >
> > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> While what you are saying about the
> > > > > > > > > > > > > > >> policies
> > > stores
> > > > is
> > > > > > > true,
> > > > > > > > > > this
> > > > > > > > > > > > > > applies
> > > > > > > > > > > > > > >> to public stores only (as far as I can tell).
> > > > > > > > > > > > > > >> For
> > > > > > > on-premise
> > > > > > > > > app
> > > > > > > > > > > > > stores
> > > > > > > > > > > > > > >> this might be false because each store
> > > > > > > > > > > > > > >> owner need
> > > to
> > > > > set
> > > > > > > and
> > > > > > > > > > apply
> > > > > > > > > > > > the
> > > > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > > > >> horrible
> > > > > > results
> > > > > > > > due
> > > > > > > > > > to a
> > > > > > > > > > > > bad
> > > > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> I concur with everyone, it is possible but
> > > > > > > > > > > > > > >> awful
> > > > > design
> > > > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão"
> > > > > > > > > > > > > > >> < frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > > > >>> moment,
> > > > but I
> > > > > > > > > remember
> > > > > > > > > > > > seeing
> > > > > > > > > > > > > > in
> > > > > > > > > > > > > > >>> more than one application store last year
> > > policies
> > > > > > being
> > > > > > > > > > changed
> > > > > > > > > > > to
> > > > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > > > >>> application
> > > > > > on-demand.
> > > > > > > > Such
> > > > > > > > > > > rules
> > > > > > > > > > > > > > >> *could*
> > > > > > > > > > > > > > >>> as well be applied to Cordova apps that
> > > > > > > > > > > > > > >>> load
> > > remote
> > > > > > > content
> > > > > > > > > > > > > considered
> > > > > > > > > > > > > > as
> > > > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not
> > > > > > > > > > > > > > >>> only a
> > > > > security
> > > > > > > > > concern
> > > > > > > > > > > per
> > > > > > > > > > > > > se,
> > > > > > > > > > > > > > >> but
> > > > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > > > >>> (which
> > > > were
> > > > > > > > > obviously
> > > > > > > > > > > > > created
> > > > > > > > > > > > > > >> for
> > > > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > > > >>> providing the
> > > > > right
> > > > > > > > > > > cordova.js
> > > > > > > > > > > > > > >> version
> > > > > > > > > > > > > > >>> from the remote server not really knowing
> > > > > > > > > > > > > > >>> where
> > > the
> > > > > > > request
> > > > > > > > > > came
> > > > > > > > > > > > > from.
> > > > > > > > > > > > > > >>> However, it's good to note too that aside
> > > Phonegap
> > > > > > > > Developer
> > > > > > > > > > App,
> > > > > > > > > > > > > there
> > > > > > > > > > > > > > >> is
> > > > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > > > >>> same
> > > thing
> > > > > as
> > > > > > a
> > > > > > > > side
> > > > > > > > > > > > service
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > >>> Phonegap Build. I don't know if they've
> > > > > > > > > > > > > > >>> come into
> > > > any
> > > > > > of
> > > > > > > > the
> > > > > > > > > > > issues
> > > > > > > > > > > > > > >>> mentioned, and I haven't even heard of it
> > > > > > > > > > > > > > >>> being
> > > > used
> > > > > in
> > > > > > > > > > > production.
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > > >:
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>> I agree with all your statements Marcel.
> > > > > > > > > > > > > > >>>> I use
> > > > this
> > > > > > > > approach
> > > > > > > > > > > > > > frequently
> > > > > > > > > > > > > > >>> in
> > > > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > > > >>>> Ultimately App Store policies decide what
> > > > > > > > > > > > > > >>>> can
> > > and
> > > > > > cannot
> > > > > > > > be
> > > > > > > > > > > done.
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>> Regarding security, there is nothing I
> > > > > > > > > > > > > > >>>> can do
> > > > with a
> > > > > > > > remote
> > > > > > > > > > page
> > > > > > > > > > > > > that
> > > > > > > > > > > > > > I
> > > > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > > > >>>> issue of
> > > > > > trust.
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > > > shazron@gmail.com>
> > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>> I agree that it is not recommended, but
> > > > > > > > > > > > > > >>>>> it's
> > > > > > possible.
> > > > > > > I
> > > > > > > > > > delved
> > > > > > > > > > > > > into
> > > > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > > > >>>>>
> > > > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>> The PhoneGap Developer App is an example
> > > > > > > > > > > > > > >>>>> of how
> > > > > this
> > > > > > is
> > > > > > > > > > working
> > > > > > > > > > > > at
> > > > > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> > > > proxying
> > > > > to
> > > > > > > get
> > > > > > > > > > > around
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
> > > Kinard <
> > > > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > > > >>>>>> I've been getting occasional questions
> > > > > > > > > > > > > > >>>>>> about
> > > > users
> > > > > > > > trying
> > > > > > > > > to
> > > > > > > > > > > use
> > > > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages
> > > > > > > > > > > > > > >>>> with
> > > > Cordova
> > > > > > (in
> > > > > > > > the
> > > > > > > > > > > > webview,
> > > > > > > > > > > > > > >> not
> > > > > > > > > > > > > > >>>> InAppBrowser), and still expecting to
> > > > > > > > > > > > > > >>>> have
> > > access
> > > > to
> > > > > > the
> > > > > > > > > > plugin
> > > > > > > > > > > > APIs
> > > > > > > > > > > > > > >>>> (camera is a popular one). My response so
> > > > > > > > > > > > > > >>>> far
> > > is:
> > > > > > "This
> > > > > > > is
> > > > > > > > > an
> > > > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > > > >>>> designed
> > > > for
> > > > > > this
> > > > > > > > and
> > > > > > > > > > the
> > > > > > > > > > > > > > >>> community
> > > > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > > > >>>> While it
> > > > can
> > > > > > work
> > > > > > > > in
> > > > > > > > > > some
> > > > > > > > > > > > > > >>>> circumstances, it is not recommended nor
> > > > supported."
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > > > >>>>>> that it
> > > is
> > > > > > > > > incapable,
> > > > > > > > > > > but
> > > > > > > > > > > > > that
> > > > > > > > > > > > > > >>> we
> > > > > > > > > > > > > > >>>> don't claim that it is supposed to work,
> > > > > > > > > > > > > > >>>> and
> > > more
> > > > > > > > > importantly,
> > > > > > > > > > > we
> > > > > > > > > > > > > > won't
> > > > > > > > > > > > > > >>>> actively fix user-submitted defects on
> > > > > > > > > > > > > > >>>> this
> > > topic.
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> The main concern I have on this is same
> > > > > > > > > > > > > > >>>>>> origin
> > > > > > policy,
> > > > > > > > and
> > > > > > > > > > > > > matching
> > > > > > > > > > > > > > >>> the
> > > > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > > > locally-installed
> > > > > > > > native
> > > > > > > > > > > > Cordova
> > > > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > > > >>>>>> this, or
> > > do
> > > > > you
> > > > > > > > > agree?
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> If you agree, what would you think of a
> > > > > > > > > > > > > > >>>>>> blurb
> > > in
> > > > > > > > > > cordova-docs
> > > > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> --
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > > > >>>
> > > > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> > > |
> > > > > > > Website
> > > > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > > > https://twitter.com/Wizcorp>
> > > > > > > > |
> > > > > > > > > > > > > Facebook
> > > > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Carlos Santana
> > > > > > > > > <cs...@gmail.com>
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > > > ------------------------------ TECH . GAMING . OPEN-SOURCE
> > > > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > > > <https://twitter.com/Wizcorp>
> > > |
> > > > > > > > Facebook
> > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Carlos Santana
> > > > > > <cs...@gmail.com>
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Carlos Santana
> > > > <cs...@gmail.com>
> > > >
> > >
> > >
> > >
> > > --
> > > Timothy Kim
> > >
> >
>
RE: remotely loaded pages
Posted by Chuck Lantz <cl...@microsoft.com>.
Got it. I know it can be used with Windows apps so I incorrectly jumped to a conclusion (though there are restrictions there around HTTPS being required). I misinterpreted the spellcaster comment about saving to the "application cache" to be the appcache. I definitely think this is of interest in enterprise scenarios at a minimum.
-Chuck
-----Original Message-----
From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of Brian LeRoux
Sent: Wednesday, September 3, 2014 2:35 PM
To: dev@cordova.apache.org
Subject: Re: remotely loaded pages
there is no appcache in webview based apps…unless we implement it as a plugin (which we won't b/c appcache is a sort of terrible spec)
On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz <cl...@microsoft.com> wrote:
> Out of curiosity, for production use where you presumably want people
> to take the updates (say because you don't want to keep your web
> service back-end supporting older versions of your app), wouldn't
> simply using an offline appcache with a hosted source achieve some of
> the same goals? At a certain point I suppose you hit size limits if
> you update all of your app content - iOS maxes out at 10mb I think.
>
> -Chuck
>
> -----Original Message-----
> From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf
> Of Brian LeRoux
> Sent: Thursday, August 21, 2014 12:15 PM
> To: dev@cordova.apache.org
> Subject: Re: remotely loaded pages
>
> No apologies! It definitely *is* for dev authoring workflow currently
> …but given the #'s I think it could be suitable for production
> runtime. (Sorry I wasn't clear on that.)
>
>
> On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
>
> > >
> > > I wonder how it solves the problems of serving the correct version
> > > of cordova.js and cordova_plugin.js depending on the version of
> > > the native code that is installed on the different versions of the
> > > mobile App in production.
> >
> >
> > When you connect to the IP that's being served by connect-phonegap,
> > the client will send its device.version and device.platform to the
> > server. On the server's side, there's a res folder within
> > connect-phonegap with all the various version and platforms of the
> > cordova.js, cordova_plugins.js and plugins/.
> >
> >
> > On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
> >
> > > Sorry Brian, I thought it was a development time tool to allow for
> > > fast development cycle associated with PhoneGap Developer App.
> > >
> > > I guess they can use it and run the connect-phonegap in a
> > > production node-js backend system, I wonder how it solves the
> > > problems of serving
> > the
> > > correct version of cordova.js and cordova_plugin.js depending on
> > > the version of the native code that is installed on the different
> > > versions of the mobile App in production.
> > >
> > >
> > >
> > >
> > > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> > >
> > > > totally, though connect-phonegap *could* be considered
> > > > production
> > worthy
> > > > (it is being used significantly by the pg downstream community)
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > > <csantana23@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > Brain I think that's OK at development time everything is fair
> > > > > game
> > :-)
> > > > >
> > > > > The problem is developers doing stupid things like loading a
> > cordova.js
> > > > > from a place they don't know for a in production app being
> > > > > used by
> > end
> > > > > users, that's just kamikaze
> > > > >
> > > > > That's OK if they want to shoot themselves in the foot, but
> > > > > then
> > don't
> > > > come
> > > > > crying to JIRA claiming that is a problem with Cordova project.
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> > > > >
> > > > > > phonegap-connect serves up remote cordova.js (negotiates the
> > > requestor
> > > > to
> > > > > > send the right file)
> > > > > >
> > > > > > no deaths yet!
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > https://github.com/phonegap/connect-phonegap/blob/master/lib/middlew
> > ar
> > e/cordova/cordova.js#L29
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > > <aogilvie@wizcorp.jp
> > >
> > > > > wrote:
> > > > > >
> > > > > > > That's a good difference to point out.
> > > > > > >
> > > > > > > >My personal position is that scenarios where developer is
> > > > > > > >in
> > > control
> > > > > and
> > > > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > >is a
> > > valid
> > > > > > > >scenario for Cordova
> > > > > > >
> > > > > > > I agree, because as cordova.js and cordovaLib are version
> > > > > > > linked,
> > > it
> > > > > > makes
> > > > > > > sense that once an index.html is pulled in, it's
> > > > > > > cordova.js to
> > load
> > > > is
> > > > > > > already in the client application.
> > > > > > > Loading an external cordova.js would be suicidal. So we
> > > > > > > save the
> > > file
> > > > > > > locally to write into it's <HEAD> our known path to
> > > > > > > codova.js
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > > csantana23@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I want to make clarification there is a notable
> > > > > > > > difference
> > > between
> > > > > > > loading
> > > > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova
> > > > > > > > vs. a
> > > > > > downloaded
> > > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > > >
> > > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2
> > .0
> > /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> > html?locale=en
> > > > > > > >
> > > > > > > > The scenario is a download and local load of html/cordova.
> > > Similar
> > > > > > > scenario
> > > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > > control from app developer of the
> > code
> > > > > being
> > > > > > > > loaded.
> > > > > > > >
> > > > > > > > What Marcel is asking is a *non-local* load of arbitrary
> > > html/code
> > > > > not
> > > > > > > > control by developer, developer loading a free html page
> > > > > > > > own
> > > > someone
> > > > > > else
> > > > > > > > and doing kind of a "document.location.replace('
> > > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > > >
> > > > > > > > My personal position is that scenarios where developer
> > > > > > > > is in
> > > > control
> > > > > > and
> > > > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > > is a
> > > valid
> > > > > > > > scenario for Cordova. loading a random cordova.js
> > > > > > > > directly
> > from a
> > > > > > > non-local
> > > > > > > > random place not guarantee to be supported.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > > <b...@brian.io>
> > > wrote:
> > > > > > > >
> > > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > > consider
> > such
> > > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > > agrieve@chromium.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > I think this is a very desired plugin that many end
> > > > > > > > > > up
> > > > > re-writing,
> > > > > > > and
> > > > > > > > > it's
> > > > > > > > > > far better than setting the content src directly to
> > > > > > > > > > a
> > remote
> > > > URL.
> > > > > > > > > >
> > > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > > mmocny@chromium.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Make it available Ally, of course that sounds
> > interesting!
> > > > > > > > > > >
> > > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > > improvements
> > too.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > > aogilvie@wizcorp.jp
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > > >
> > > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > > game is
> > > > served
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > client
> > > > > > > > > > > > (requires no .html in the application) we have a
> > > > > > > > > > > > tool
> > > > called
> > > > > > > > > > > "spellcaster".
> > > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > > localisation
> > > and
> > > > > > > Cordova
> > > > > > > > > > code
> > > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > > >
> > > > > > > > > > > > One simply adds an application URL to Cordova's
> > > config.xml
> > > > in
> > > > > > > > > <content
> > > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > > >
> > > > > > > > > > > > - Spellcaster will check for an active internet
> > > connection.
> > > > > If
> > > > > > > one
> > > > > > > > is
> > > > > > > > > > not
> > > > > > > > > > > > found Spellcaster will continue retrying at a
> > > > > > > > > > > > set
> > > interval.
> > > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > > provided
> > > > > application
> > > > > > > URL
> > > > > > > > > and
> > > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > > existing
> > > > loader).
> > > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > > after
> > the
> > > > > <head>
> > > > > > > > tag.
> > > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > > WebView
> > > > > > > > > > > >
> > > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > > >
> > > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > > could
> > have
> > > > > this
> > > > > > > code
> > > > > > > > > > made
> > > > > > > > > > > > public it just needs a public sanitise check.
> > Spellcaster
> > > > > > > supports
> > > > > > > > > iOS
> > > > > > > > > > > and
> > > > > > > > > > > > Android.
> > > > > > > > > > > > For iOS it requires 1 line of code to be added
> > > > > > > > > > > > to didFinishLaunchingWithOptions.
> > > > > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > > super.init();
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void init() { Spellcaster spellcaster =
> > > > > > > > > > > > new Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void
> > > > > > > > > > > > init(org.apache.cordova.CordovaWebView
> > > webView,
> > > > > > > > > > > >
> > > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > > webViewClient,
> > > > > > > > > > > >
> > > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > > webChromeClient)
> > > > > > > > > {
> > > > > > > > > > > > super.init(webView, webViewClient,
> > webChromeClient);
> > > > > > > > > > > >
> > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> > > webView);
> > > > > > > > > > > > ...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > > >
> > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > > mhweiner234@gmail.com
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > It's technically possible, and even
> > > > > > > > > > > > > > (arguably)
> > legal
> > > > > > > according
> > > > > > > > to
> > > > > > > > > > > > Apple's
> > > > > > > > > > > > > > documentation, depending on the nature of
> > > > > > > > > > > > > > the code
> > > and
> > > > > how
> > > > > > > it's
> > > > > > > > > > > > > implemented:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > > install
> > > > > executable
> > > > > > > > code.
> > > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > > Application
> > > if
> > > > > all
> > > > > > > > > scripts,
> > > > > > > > > > > > code
> > > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > > Application
> > and
> > > > not
> > > > > > > > > > downloaded.
> > > > > > > > > > > > The
> > > > > > > > > > > > > > only exception to the foregoing is scripts
> > > > > > > > > > > > > > and code
> > > > > > > downloaded
> > > > > > > > > and
> > > > > > > > > > > run
> > > > > > > > > > > > by
> > > > > > > > > > > > > > Apple's built-in WebKit framework, provided
> > > > > > > > > > > > > > that
> > such
> > > > > > scripts
> > > > > > > > and
> > > > > > > > > > > code
> > > > > > > > > > > > do
> > > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > > Application
> > by
> > > > > > > providing
> > > > > > > > > > > features
> > > > > > > > > > > > > or
> > > > > > > > > > > > > > functionality that are inconsistent with the
> > intended
> > > > and
> > > > > > > > > > advertised
> > > > > > > > > > > > > > purpose of the Application as submitted to
> > > > > > > > > > > > > > the App
> > > > Store.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > > coming
> > > from
> > > > a
> > > > > > > server
> > > > > > > > > > that
> > > > > > > > > > > > you
> > > > > > > > > > > > > > control, and if you are able to control what
> > > > > > > > > > > > > > code
> > is
> > > > > > getting
> > > > > > > > > > > executed.
> > > > > > > > > > > > > > Loading in 3rd party, unverified scripts
> > > > > > > > > > > > > > into your
> > > > > Cordova
> > > > > > > view
> > > > > > > > > is
> > > > > > > > > > a
> > > > > > > > > > > > big
> > > > > > > > > > > > > > "no-no" for security reasons, and could get
> > > > > > > > > > > > > > your
> > app
> > > > > > delisted
> > > > > > > > (or
> > > > > > > > > > > > > rejected).
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > > topic,
> > I'd
> > > > be
> > > > > > > > > interested
> > > > > > > > > > > in
> > > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Marc
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa
> > > > > > > > > > > > > >> <
> > > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> While what you are saying about the
> > > > > > > > > > > > > >> policies
> > stores
> > > is
> > > > > > true,
> > > > > > > > > this
> > > > > > > > > > > > > applies
> > > > > > > > > > > > > >> to public stores only (as far as I can tell).
> > > > > > > > > > > > > >> For
> > > > > > on-premise
> > > > > > > > app
> > > > > > > > > > > > stores
> > > > > > > > > > > > > >> this might be false because each store
> > > > > > > > > > > > > >> owner need
> > to
> > > > set
> > > > > > and
> > > > > > > > > apply
> > > > > > > > > > > the
> > > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > > >> horrible
> > > > > results
> > > > > > > due
> > > > > > > > > to a
> > > > > > > > > > > bad
> > > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> I concur with everyone, it is possible but
> > > > > > > > > > > > > >> awful
> > > > design
> > > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão"
> > > > > > > > > > > > > >> < frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > > >>> moment,
> > > but I
> > > > > > > > remember
> > > > > > > > > > > seeing
> > > > > > > > > > > > > in
> > > > > > > > > > > > > >>> more than one application store last year
> > policies
> > > > > being
> > > > > > > > > changed
> > > > > > > > > > to
> > > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > > >>> application
> > > > > on-demand.
> > > > > > > Such
> > > > > > > > > > rules
> > > > > > > > > > > > > >> *could*
> > > > > > > > > > > > > >>> as well be applied to Cordova apps that
> > > > > > > > > > > > > >>> load
> > remote
> > > > > > content
> > > > > > > > > > > > considered
> > > > > > > > > > > > > as
> > > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not
> > > > > > > > > > > > > >>> only a
> > > > security
> > > > > > > > concern
> > > > > > > > > > per
> > > > > > > > > > > > se,
> > > > > > > > > > > > > >> but
> > > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > > >>> (which
> > > were
> > > > > > > > obviously
> > > > > > > > > > > > created
> > > > > > > > > > > > > >> for
> > > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > > >>> providing the
> > > > right
> > > > > > > > > > cordova.js
> > > > > > > > > > > > > >> version
> > > > > > > > > > > > > >>> from the remote server not really knowing
> > > > > > > > > > > > > >>> where
> > the
> > > > > > request
> > > > > > > > > came
> > > > > > > > > > > > from.
> > > > > > > > > > > > > >>> However, it's good to note too that aside
> > Phonegap
> > > > > > > Developer
> > > > > > > > > App,
> > > > > > > > > > > > there
> > > > > > > > > > > > > >> is
> > > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > > >>> same
> > thing
> > > > as
> > > > > a
> > > > > > > side
> > > > > > > > > > > service
> > > > > > > > > > > > > to
> > > > > > > > > > > > > >>> Phonegap Build. I don't know if they've
> > > > > > > > > > > > > >>> come into
> > > any
> > > > > of
> > > > > > > the
> > > > > > > > > > issues
> > > > > > > > > > > > > >>> mentioned, and I haven't even heard of it
> > > > > > > > > > > > > >>> being
> > > used
> > > > in
> > > > > > > > > > production.
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > >:
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>> I agree with all your statements Marcel.
> > > > > > > > > > > > > >>>> I use
> > > this
> > > > > > > approach
> > > > > > > > > > > > > frequently
> > > > > > > > > > > > > >>> in
> > > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > > >>>> Ultimately App Store policies decide what
> > > > > > > > > > > > > >>>> can
> > and
> > > > > cannot
> > > > > > > be
> > > > > > > > > > done.
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>> Regarding security, there is nothing I
> > > > > > > > > > > > > >>>> can do
> > > with a
> > > > > > > remote
> > > > > > > > > page
> > > > > > > > > > > > that
> > > > > > > > > > > > > I
> > > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > > >>>> issue of
> > > > > trust.
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > > shazron@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>> I agree that it is not recommended, but
> > > > > > > > > > > > > >>>>> it's
> > > > > possible.
> > > > > > I
> > > > > > > > > delved
> > > > > > > > > > > > into
> > > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > > >>>>>
> > > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>> The PhoneGap Developer App is an example
> > > > > > > > > > > > > >>>>> of how
> > > > this
> > > > > is
> > > > > > > > > working
> > > > > > > > > > > at
> > > > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> > > proxying
> > > > to
> > > > > > get
> > > > > > > > > > around
> > > > > > > > > > > > the
> > > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
> > Kinard <
> > > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > > >>>>>> I've been getting occasional questions
> > > > > > > > > > > > > >>>>>> about
> > > users
> > > > > > > trying
> > > > > > > > to
> > > > > > > > > > use
> > > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages
> > > > > > > > > > > > > >>>> with
> > > Cordova
> > > > > (in
> > > > > > > the
> > > > > > > > > > > webview,
> > > > > > > > > > > > > >> not
> > > > > > > > > > > > > >>>> InAppBrowser), and still expecting to
> > > > > > > > > > > > > >>>> have
> > access
> > > to
> > > > > the
> > > > > > > > > plugin
> > > > > > > > > > > APIs
> > > > > > > > > > > > > >>>> (camera is a popular one). My response so
> > > > > > > > > > > > > >>>> far
> > is:
> > > > > "This
> > > > > > is
> > > > > > > > an
> > > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > > >>>> designed
> > > for
> > > > > this
> > > > > > > and
> > > > > > > > > the
> > > > > > > > > > > > > >>> community
> > > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > > >>>> While it
> > > can
> > > > > work
> > > > > > > in
> > > > > > > > > some
> > > > > > > > > > > > > >>>> circumstances, it is not recommended nor
> > > supported."
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > > >>>>>> that it
> > is
> > > > > > > > incapable,
> > > > > > > > > > but
> > > > > > > > > > > > that
> > > > > > > > > > > > > >>> we
> > > > > > > > > > > > > >>>> don't claim that it is supposed to work,
> > > > > > > > > > > > > >>>> and
> > more
> > > > > > > > importantly,
> > > > > > > > > > we
> > > > > > > > > > > > > won't
> > > > > > > > > > > > > >>>> actively fix user-submitted defects on
> > > > > > > > > > > > > >>>> this
> > topic.
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> The main concern I have on this is same
> > > > > > > > > > > > > >>>>>> origin
> > > > > policy,
> > > > > > > and
> > > > > > > > > > > > matching
> > > > > > > > > > > > > >>> the
> > > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > > locally-installed
> > > > > > > native
> > > > > > > > > > > Cordova
> > > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > > >>>>>> this, or
> > do
> > > > you
> > > > > > > > agree?
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> If you agree, what would you think of a
> > > > > > > > > > > > > >>>>>> blurb
> > in
> > > > > > > > > cordova-docs
> > > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> --
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > > >>
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> > |
> > > > > > Website
> > > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > > https://twitter.com/Wizcorp>
> > > > > > > |
> > > > > > > > > > > > Facebook
> > > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Carlos Santana
> > > > > > > > <cs...@gmail.com>
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > > ------------------------------ TECH . GAMING . OPEN-SOURCE
> > > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > > <https://twitter.com/Wizcorp>
> > |
> > > > > > > Facebook
> > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Carlos Santana
> > > > > <cs...@gmail.com>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <cs...@gmail.com>
> > >
> >
> >
> >
> > --
> > Timothy Kim
> >
>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
there is no appcache in webview based apps…unless we implement it as a
plugin (which we won't b/c appcache is a sort of terrible spec)
On Wed, Sep 3, 2014 at 2:25 PM, Chuck Lantz <cl...@microsoft.com> wrote:
> Out of curiosity, for production use where you presumably want people to
> take the updates (say because you don't want to keep your web service
> back-end supporting older versions of your app), wouldn't simply using an
> offline appcache with a hosted source achieve some of the same goals? At a
> certain point I suppose you hit size limits if you update all of your app
> content - iOS maxes out at 10mb I think.
>
> -Chuck
>
> -----Original Message-----
> From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of
> Brian LeRoux
> Sent: Thursday, August 21, 2014 12:15 PM
> To: dev@cordova.apache.org
> Subject: Re: remotely loaded pages
>
> No apologies! It definitely *is* for dev authoring workflow currently …but
> given the #'s I think it could be suitable for production runtime. (Sorry I
> wasn't clear on that.)
>
>
> On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
>
> > >
> > > I wonder how it solves the problems of serving the correct version
> > > of cordova.js and cordova_plugin.js depending on the version of the
> > > native code that is installed on the different versions of the
> > > mobile App in production.
> >
> >
> > When you connect to the IP that's being served by connect-phonegap,
> > the client will send its device.version and device.platform to the
> > server. On the server's side, there's a res folder within
> > connect-phonegap with all the various version and platforms of the
> > cordova.js, cordova_plugins.js and plugins/.
> >
> >
> > On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
> >
> > > Sorry Brian, I thought it was a development time tool to allow for
> > > fast development cycle associated with PhoneGap Developer App.
> > >
> > > I guess they can use it and run the connect-phonegap in a production
> > > node-js backend system, I wonder how it solves the problems of
> > > serving
> > the
> > > correct version of cordova.js and cordova_plugin.js depending on the
> > > version of the native code that is installed on the different
> > > versions of the mobile App in production.
> > >
> > >
> > >
> > >
> > > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> > >
> > > > totally, though connect-phonegap *could* be considered production
> > worthy
> > > > (it is being used significantly by the pg downstream community)
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > > <csantana23@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > Brain I think that's OK at development time everything is fair
> > > > > game
> > :-)
> > > > >
> > > > > The problem is developers doing stupid things like loading a
> > cordova.js
> > > > > from a place they don't know for a in production app being used
> > > > > by
> > end
> > > > > users, that's just kamikaze
> > > > >
> > > > > That's OK if they want to shoot themselves in the foot, but then
> > don't
> > > > come
> > > > > crying to JIRA claiming that is a problem with Cordova project.
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> > > > >
> > > > > > phonegap-connect serves up remote cordova.js (negotiates the
> > > requestor
> > > > to
> > > > > > send the right file)
> > > > > >
> > > > > > no deaths yet!
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > https://github.com/phonegap/connect-phonegap/blob/master/lib/middlewar
> > e/cordova/cordova.js#L29
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > > <aogilvie@wizcorp.jp
> > >
> > > > > wrote:
> > > > > >
> > > > > > > That's a good difference to point out.
> > > > > > >
> > > > > > > >My personal position is that scenarios where developer is
> > > > > > > >in
> > > control
> > > > > and
> > > > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is
> > > > > > > >a
> > > valid
> > > > > > > >scenario for Cordova
> > > > > > >
> > > > > > > I agree, because as cordova.js and cordovaLib are version
> > > > > > > linked,
> > > it
> > > > > > makes
> > > > > > > sense that once an index.html is pulled in, it's cordova.js
> > > > > > > to
> > load
> > > > is
> > > > > > > already in the client application.
> > > > > > > Loading an external cordova.js would be suicidal. So we save
> > > > > > > the
> > > file
> > > > > > > locally to write into it's <HEAD> our known path to
> > > > > > > codova.js
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > > csantana23@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I want to make clarification there is a notable difference
> > > between
> > > > > > > loading
> > > > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova
> > > > > > > > vs. a
> > > > > > downloaded
> > > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > > >
> > > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0
> > /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> > html?locale=en
> > > > > > > >
> > > > > > > > The scenario is a download and local load of html/cordova.
> > > Similar
> > > > > > > scenario
> > > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > > control from app developer of the
> > code
> > > > > being
> > > > > > > > loaded.
> > > > > > > >
> > > > > > > > What Marcel is asking is a *non-local* load of arbitrary
> > > html/code
> > > > > not
> > > > > > > > control by developer, developer loading a free html page
> > > > > > > > own
> > > > someone
> > > > > > else
> > > > > > > > and doing kind of a "document.location.replace('
> > > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > > >
> > > > > > > > My personal position is that scenarios where developer is
> > > > > > > > in
> > > > control
> > > > > > and
> > > > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > > is a
> > > valid
> > > > > > > > scenario for Cordova. loading a random cordova.js directly
> > from a
> > > > > > > non-local
> > > > > > > > random place not guarantee to be supported.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > > <b...@brian.io>
> > > wrote:
> > > > > > > >
> > > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > > consider
> > such
> > > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > > agrieve@chromium.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > I think this is a very desired plugin that many end up
> > > > > re-writing,
> > > > > > > and
> > > > > > > > > it's
> > > > > > > > > > far better than setting the content src directly to a
> > remote
> > > > URL.
> > > > > > > > > >
> > > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > > mmocny@chromium.org
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Make it available Ally, of course that sounds
> > interesting!
> > > > > > > > > > >
> > > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > > improvements
> > too.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > > aogilvie@wizcorp.jp
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > > >
> > > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > > game is
> > > > served
> > > > > > to
> > > > > > > > the
> > > > > > > > > > > client
> > > > > > > > > > > > (requires no .html in the application) we have a
> > > > > > > > > > > > tool
> > > > called
> > > > > > > > > > > "spellcaster".
> > > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > > localisation
> > > and
> > > > > > > Cordova
> > > > > > > > > > code
> > > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > > >
> > > > > > > > > > > > One simply adds an application URL to Cordova's
> > > config.xml
> > > > in
> > > > > > > > > <content
> > > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > > >
> > > > > > > > > > > > - Spellcaster will check for an active internet
> > > connection.
> > > > > If
> > > > > > > one
> > > > > > > > is
> > > > > > > > > > not
> > > > > > > > > > > > found Spellcaster will continue retrying at a set
> > > interval.
> > > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > > provided
> > > > > application
> > > > > > > URL
> > > > > > > > > and
> > > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > > existing
> > > > loader).
> > > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > > after
> > the
> > > > > <head>
> > > > > > > > tag.
> > > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > > WebView
> > > > > > > > > > > >
> > > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > > >
> > > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > > could
> > have
> > > > > this
> > > > > > > code
> > > > > > > > > > made
> > > > > > > > > > > > public it just needs a public sanitise check.
> > Spellcaster
> > > > > > > supports
> > > > > > > > > iOS
> > > > > > > > > > > and
> > > > > > > > > > > > Android.
> > > > > > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > > super.init();
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void init() { Spellcaster spellcaster = new
> > > > > > > > > > > > Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > > >
> > > > > > > > > > > > @Override
> > > > > > > > > > > > public void init(org.apache.cordova.CordovaWebView
> > > webView,
> > > > > > > > > > > >
> > > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > > webViewClient,
> > > > > > > > > > > >
> > > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > > webChromeClient)
> > > > > > > > > {
> > > > > > > > > > > > super.init(webView, webViewClient,
> > webChromeClient);
> > > > > > > > > > > >
> > > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> > > webView);
> > > > > > > > > > > > ...
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > > >
> > > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > > mhweiner234@gmail.com
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > It's technically possible, and even (arguably)
> > legal
> > > > > > > according
> > > > > > > > to
> > > > > > > > > > > > Apple's
> > > > > > > > > > > > > > documentation, depending on the nature of the
> > > > > > > > > > > > > > code
> > > and
> > > > > how
> > > > > > > it's
> > > > > > > > > > > > > implemented:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > > install
> > > > > executable
> > > > > > > > code.
> > > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > > Application
> > > if
> > > > > all
> > > > > > > > > scripts,
> > > > > > > > > > > > code
> > > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > > Application
> > and
> > > > not
> > > > > > > > > > downloaded.
> > > > > > > > > > > > The
> > > > > > > > > > > > > > only exception to the foregoing is scripts and
> > > > > > > > > > > > > > code
> > > > > > > downloaded
> > > > > > > > > and
> > > > > > > > > > > run
> > > > > > > > > > > > by
> > > > > > > > > > > > > > Apple's built-in WebKit framework, provided
> > > > > > > > > > > > > > that
> > such
> > > > > > scripts
> > > > > > > > and
> > > > > > > > > > > code
> > > > > > > > > > > > do
> > > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > > Application
> > by
> > > > > > > providing
> > > > > > > > > > > features
> > > > > > > > > > > > > or
> > > > > > > > > > > > > > functionality that are inconsistent with the
> > intended
> > > > and
> > > > > > > > > > advertised
> > > > > > > > > > > > > > purpose of the Application as submitted to the
> > > > > > > > > > > > > > App
> > > > Store.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > > coming
> > > from
> > > > a
> > > > > > > server
> > > > > > > > > > that
> > > > > > > > > > > > you
> > > > > > > > > > > > > > control, and if you are able to control what
> > > > > > > > > > > > > > code
> > is
> > > > > > getting
> > > > > > > > > > > executed.
> > > > > > > > > > > > > > Loading in 3rd party, unverified scripts into
> > > > > > > > > > > > > > your
> > > > > Cordova
> > > > > > > view
> > > > > > > > > is
> > > > > > > > > > a
> > > > > > > > > > > > big
> > > > > > > > > > > > > > "no-no" for security reasons, and could get
> > > > > > > > > > > > > > your
> > app
> > > > > > delisted
> > > > > > > > (or
> > > > > > > > > > > > > rejected).
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > > topic,
> > I'd
> > > > be
> > > > > > > > > interested
> > > > > > > > > > > in
> > > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Marc
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > > >
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> While what you are saying about the policies
> > stores
> > > is
> > > > > > true,
> > > > > > > > > this
> > > > > > > > > > > > > applies
> > > > > > > > > > > > > >> to public stores only (as far as I can tell).
> > > > > > > > > > > > > >> For
> > > > > > on-premise
> > > > > > > > app
> > > > > > > > > > > > stores
> > > > > > > > > > > > > >> this might be false because each store owner
> > > > > > > > > > > > > >> need
> > to
> > > > set
> > > > > > and
> > > > > > > > > apply
> > > > > > > > > > > the
> > > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > > >> horrible
> > > > > results
> > > > > > > due
> > > > > > > > > to a
> > > > > > > > > > > bad
> > > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> I concur with everyone, it is possible but
> > > > > > > > > > > > > >> awful
> > > > design
> > > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > > >>> moment,
> > > but I
> > > > > > > > remember
> > > > > > > > > > > seeing
> > > > > > > > > > > > > in
> > > > > > > > > > > > > >>> more than one application store last year
> > policies
> > > > > being
> > > > > > > > > changed
> > > > > > > > > > to
> > > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > > >>> application
> > > > > on-demand.
> > > > > > > Such
> > > > > > > > > > rules
> > > > > > > > > > > > > >> *could*
> > > > > > > > > > > > > >>> as well be applied to Cordova apps that load
> > remote
> > > > > > content
> > > > > > > > > > > > considered
> > > > > > > > > > > > > as
> > > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not only
> > > > > > > > > > > > > >>> a
> > > > security
> > > > > > > > concern
> > > > > > > > > > per
> > > > > > > > > > > > se,
> > > > > > > > > > > > > >> but
> > > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > > >>> (which
> > > were
> > > > > > > > obviously
> > > > > > > > > > > > created
> > > > > > > > > > > > > >> for
> > > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > > >>> providing the
> > > > right
> > > > > > > > > > cordova.js
> > > > > > > > > > > > > >> version
> > > > > > > > > > > > > >>> from the remote server not really knowing
> > > > > > > > > > > > > >>> where
> > the
> > > > > > request
> > > > > > > > > came
> > > > > > > > > > > > from.
> > > > > > > > > > > > > >>> However, it's good to note too that aside
> > Phonegap
> > > > > > > Developer
> > > > > > > > > App,
> > > > > > > > > > > > there
> > > > > > > > > > > > > >> is
> > > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > > >>> same
> > thing
> > > > as
> > > > > a
> > > > > > > side
> > > > > > > > > > > service
> > > > > > > > > > > > > to
> > > > > > > > > > > > > >>> Phonegap Build. I don't know if they've come
> > > > > > > > > > > > > >>> into
> > > any
> > > > > of
> > > > > > > the
> > > > > > > > > > issues
> > > > > > > > > > > > > >>> mentioned, and I haven't even heard of it
> > > > > > > > > > > > > >>> being
> > > used
> > > > in
> > > > > > > > > > production.
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > > >:
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>> I agree with all your statements Marcel. I
> > > > > > > > > > > > > >>>> use
> > > this
> > > > > > > approach
> > > > > > > > > > > > > frequently
> > > > > > > > > > > > > >>> in
> > > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > > >>>> Ultimately App Store policies decide what
> > > > > > > > > > > > > >>>> can
> > and
> > > > > cannot
> > > > > > > be
> > > > > > > > > > done.
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>> Regarding security, there is nothing I can
> > > > > > > > > > > > > >>>> do
> > > with a
> > > > > > > remote
> > > > > > > > > page
> > > > > > > > > > > > that
> > > > > > > > > > > > > I
> > > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > > >>>> issue of
> > > > > trust.
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > > >>>>
> > > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > > shazron@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>> I agree that it is not recommended, but
> > > > > > > > > > > > > >>>>> it's
> > > > > possible.
> > > > > > I
> > > > > > > > > delved
> > > > > > > > > > > > into
> > > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > > >>>>>
> > > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>> The PhoneGap Developer App is an example
> > > > > > > > > > > > > >>>>> of how
> > > > this
> > > > > is
> > > > > > > > > working
> > > > > > > > > > > at
> > > > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> > > proxying
> > > > to
> > > > > > get
> > > > > > > > > > around
> > > > > > > > > > > > the
> > > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > > >>>>>
> > > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
> > Kinard <
> > > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > > >>>>>> I've been getting occasional questions
> > > > > > > > > > > > > >>>>>> about
> > > users
> > > > > > > trying
> > > > > > > > to
> > > > > > > > > > use
> > > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with
> > > Cordova
> > > > > (in
> > > > > > > the
> > > > > > > > > > > webview,
> > > > > > > > > > > > > >> not
> > > > > > > > > > > > > >>>> InAppBrowser), and still expecting to have
> > access
> > > to
> > > > > the
> > > > > > > > > plugin
> > > > > > > > > > > APIs
> > > > > > > > > > > > > >>>> (camera is a popular one). My response so
> > > > > > > > > > > > > >>>> far
> > is:
> > > > > "This
> > > > > > is
> > > > > > > > an
> > > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > > >>>> designed
> > > for
> > > > > this
> > > > > > > and
> > > > > > > > > the
> > > > > > > > > > > > > >>> community
> > > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > > >>>> While it
> > > can
> > > > > work
> > > > > > > in
> > > > > > > > > some
> > > > > > > > > > > > > >>>> circumstances, it is not recommended nor
> > > supported."
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > > >>>>>> that it
> > is
> > > > > > > > incapable,
> > > > > > > > > > but
> > > > > > > > > > > > that
> > > > > > > > > > > > > >>> we
> > > > > > > > > > > > > >>>> don't claim that it is supposed to work,
> > > > > > > > > > > > > >>>> and
> > more
> > > > > > > > importantly,
> > > > > > > > > > we
> > > > > > > > > > > > > won't
> > > > > > > > > > > > > >>>> actively fix user-submitted defects on this
> > topic.
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> The main concern I have on this is same
> > > > > > > > > > > > > >>>>>> origin
> > > > > policy,
> > > > > > > and
> > > > > > > > > > > > matching
> > > > > > > > > > > > > >>> the
> > > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > > locally-installed
> > > > > > > native
> > > > > > > > > > > Cordova
> > > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > > >>>>>> this, or
> > do
> > > > you
> > > > > > > > agree?
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> If you agree, what would you think of a
> > > > > > > > > > > > > >>>>>> blurb
> > in
> > > > > > > > > cordova-docs
> > > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> --
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > > >>>
> > > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > > >>
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> > |
> > > > > > Website
> > > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > > https://twitter.com/Wizcorp>
> > > > > > > |
> > > > > > > > > > > > Facebook
> > > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Carlos Santana
> > > > > > > > <cs...@gmail.com>
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > > ------------------------------ TECH . GAMING . OPEN-SOURCE
> > > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > > <https://twitter.com/Wizcorp>
> > |
> > > > > > > Facebook
> > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Carlos Santana
> > > > > <cs...@gmail.com>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <cs...@gmail.com>
> > >
> >
> >
> >
> > --
> > Timothy Kim
> >
>
RE: remotely loaded pages
Posted by Chuck Lantz <cl...@microsoft.com>.
Out of curiosity, for production use where you presumably want people to take the updates (say because you don't want to keep your web service back-end supporting older versions of your app), wouldn't simply using an offline appcache with a hosted source achieve some of the same goals? At a certain point I suppose you hit size limits if you update all of your app content - iOS maxes out at 10mb I think.
-Chuck
-----Original Message-----
From: brian.leroux@gmail.com [mailto:brian.leroux@gmail.com] On Behalf Of Brian LeRoux
Sent: Thursday, August 21, 2014 12:15 PM
To: dev@cordova.apache.org
Subject: Re: remotely loaded pages
No apologies! It definitely *is* for dev authoring workflow currently …but given the #'s I think it could be suitable for production runtime. (Sorry I wasn't clear on that.)
On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
> >
> > I wonder how it solves the problems of serving the correct version
> > of cordova.js and cordova_plugin.js depending on the version of the
> > native code that is installed on the different versions of the
> > mobile App in production.
>
>
> When you connect to the IP that's being served by connect-phonegap,
> the client will send its device.version and device.platform to the
> server. On the server's side, there's a res folder within
> connect-phonegap with all the various version and platforms of the
> cordova.js, cordova_plugins.js and plugins/.
>
>
> On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
>
> > Sorry Brian, I thought it was a development time tool to allow for
> > fast development cycle associated with PhoneGap Developer App.
> >
> > I guess they can use it and run the connect-phonegap in a production
> > node-js backend system, I wonder how it solves the problems of
> > serving
> the
> > correct version of cordova.js and cordova_plugin.js depending on the
> > version of the native code that is installed on the different
> > versions of the mobile App in production.
> >
> >
> >
> >
> > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> >
> > > totally, though connect-phonegap *could* be considered production
> worthy
> > > (it is being used significantly by the pg downstream community)
> > >
> > >
> > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana
> > > <csantana23@gmail.com
> >
> > > wrote:
> > >
> > > > Brain I think that's OK at development time everything is fair
> > > > game
> :-)
> > > >
> > > > The problem is developers doing stupid things like loading a
> cordova.js
> > > > from a place they don't know for a in production app being used
> > > > by
> end
> > > > users, that's just kamikaze
> > > >
> > > > That's OK if they want to shoot themselves in the foot, but then
> don't
> > > come
> > > > crying to JIRA claiming that is a problem with Cordova project.
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> > > >
> > > > > phonegap-connect serves up remote cordova.js (negotiates the
> > requestor
> > > to
> > > > > send the right file)
> > > > >
> > > > > no deaths yet!
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middlewar
> e/cordova/cordova.js#L29
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie
> > > > > <aogilvie@wizcorp.jp
> >
> > > > wrote:
> > > > >
> > > > > > That's a good difference to point out.
> > > > > >
> > > > > > >My personal position is that scenarios where developer is
> > > > > > >in
> > control
> > > > and
> > > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is
> > > > > > >a
> > valid
> > > > > > >scenario for Cordova
> > > > > >
> > > > > > I agree, because as cordova.js and cordovaLib are version
> > > > > > linked,
> > it
> > > > > makes
> > > > > > sense that once an index.html is pulled in, it's cordova.js
> > > > > > to
> load
> > > is
> > > > > > already in the client application.
> > > > > > Loading an external cordova.js would be suicidal. So we save
> > > > > > the
> > file
> > > > > > locally to write into it's <HEAD> our known path to
> > > > > > codova.js
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > csantana23@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > I want to make clarification there is a notable difference
> > between
> > > > > > loading
> > > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova
> > > > > > > vs. a
> > > > > downloaded
> > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > >
> > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0
> /com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.
> html?locale=en
> > > > > > >
> > > > > > > The scenario is a download and local load of html/cordova.
> > Similar
> > > > > > scenario
> > > > > > > as spellcaster and appmobi For this scenario there is
> > > > > > > control from app developer of the
> code
> > > > being
> > > > > > > loaded.
> > > > > > >
> > > > > > > What Marcel is asking is a *non-local* load of arbitrary
> > html/code
> > > > not
> > > > > > > control by developer, developer loading a free html page
> > > > > > > own
> > > someone
> > > > > else
> > > > > > > and doing kind of a "document.location.replace('
> > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > >
> > > > > > > My personal position is that scenarios where developer is
> > > > > > > in
> > > control
> > > > > and
> > > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster)
> > > > > > > is a
> > valid
> > > > > > > scenario for Cordova. loading a random cordova.js directly
> from a
> > > > > > non-local
> > > > > > > random place not guarantee to be supported.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux
> > > > > > > <b...@brian.io>
> > wrote:
> > > > > > >
> > > > > > > > Very much so. So much so, I think we should even
> > > > > > > > consider
> such
> > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > agrieve@chromium.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I think this is a very desired plugin that many end up
> > > > re-writing,
> > > > > > and
> > > > > > > > it's
> > > > > > > > > far better than setting the content src directly to a
> remote
> > > URL.
> > > > > > > > >
> > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > mmocny@chromium.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Make it available Ally, of course that sounds
> interesting!
> > > > > > > > > >
> > > > > > > > > > I'm sure a few of us have suggestions for
> > > > > > > > > > improvements
> too.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > aogilvie@wizcorp.jp
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > >
> > > > > > > > > > > For some games that I produce where the entire
> > > > > > > > > > > game is
> > > served
> > > > > to
> > > > > > > the
> > > > > > > > > > client
> > > > > > > > > > > (requires no .html in the application) we have a
> > > > > > > > > > > tool
> > > called
> > > > > > > > > > "spellcaster".
> > > > > > > > > > > Spellcaster handles internet connectivity,
> > > > > > > > > > > localisation
> > and
> > > > > > Cordova
> > > > > > > > > code
> > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > >
> > > > > > > > > > > One simply adds an application URL to Cordova's
> > config.xml
> > > in
> > > > > > > > <content
> > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > >
> > > > > > > > > > > - Spellcaster will check for an active internet
> > connection.
> > > > If
> > > > > > one
> > > > > > > is
> > > > > > > > > not
> > > > > > > > > > > found Spellcaster will continue retrying at a set
> > interval.
> > > > > > > > > > > - Spellcaster downloads the content of the
> > > > > > > > > > > provided
> > > > application
> > > > > > URL
> > > > > > > > and
> > > > > > > > > > > stores to application cache (overriding any
> > > > > > > > > > > existing
> > > loader).
> > > > > > > > > > > - Spellcaster injects Cordova script tags just
> > > > > > > > > > > after
> the
> > > > <head>
> > > > > > > tag.
> > > > > > > > > > > - Spellcaster loads the new *loader into the
> > > > > > > > > > > WebView
> > > > > > > > > > >
> > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > >
> > > > > > > > > > > Are people still in need of such a solution? I
> > > > > > > > > > > could
> have
> > > > this
> > > > > > code
> > > > > > > > > made
> > > > > > > > > > > public it just needs a public sanitise check.
> Spellcaster
> > > > > > supports
> > > > > > > > iOS
> > > > > > > > > > and
> > > > > > > > > > > Android.
> > > > > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > super.init();
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void init() { Spellcaster spellcaster = new
> > > > > > > > > > > Spellcaster(); spellcaster.init(this,
> > > > > > > > > > > Config.getStartUrl(), appView); ...
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void init(org.apache.cordova.CordovaWebView
> > webView,
> > > > > > > > > > >
> > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > webViewClient,
> > > > > > > > > > >
> > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > webChromeClient)
> > > > > > > > {
> > > > > > > > > > > super.init(webView, webViewClient,
> webChromeClient);
> > > > > > > > > > >
> > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> > webView);
> > > > > > > > > > > ...
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > > purplecabbage@gmail.com
> > > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > >
> > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > >
> > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > mhweiner234@gmail.com
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > It's technically possible, and even (arguably)
> legal
> > > > > > according
> > > > > > > to
> > > > > > > > > > > Apple's
> > > > > > > > > > > > > documentation, depending on the nature of the
> > > > > > > > > > > > > code
> > and
> > > > how
> > > > > > it's
> > > > > > > > > > > > implemented:
> > > > > > > > > > > > >
> > > > > > > > > > > > > 3.3.2 An Application may not download or
> > > > > > > > > > > > > install
> > > > executable
> > > > > > > code.
> > > > > > > > > > > > > Interpreted code may only be used in an
> > > > > > > > > > > > > Application
> > if
> > > > all
> > > > > > > > scripts,
> > > > > > > > > > > code
> > > > > > > > > > > > > and interpreters are packaged in the
> > > > > > > > > > > > > Application
> and
> > > not
> > > > > > > > > downloaded.
> > > > > > > > > > > The
> > > > > > > > > > > > > only exception to the foregoing is scripts and
> > > > > > > > > > > > > code
> > > > > > downloaded
> > > > > > > > and
> > > > > > > > > > run
> > > > > > > > > > > by
> > > > > > > > > > > > > Apple's built-in WebKit framework, provided
> > > > > > > > > > > > > that
> such
> > > > > scripts
> > > > > > > and
> > > > > > > > > > code
> > > > > > > > > > > do
> > > > > > > > > > > > > not change the primary purpose of the
> > > > > > > > > > > > > Application
> by
> > > > > > providing
> > > > > > > > > > features
> > > > > > > > > > > > or
> > > > > > > > > > > > > functionality that are inconsistent with the
> intended
> > > and
> > > > > > > > > advertised
> > > > > > > > > > > > > purpose of the Application as submitted to the
> > > > > > > > > > > > > App
> > > Store.
> > > > > > > > > > > > >
> > > > > > > > > > > > > However, I would only do so if the code is
> > > > > > > > > > > > > coming
> > from
> > > a
> > > > > > server
> > > > > > > > > that
> > > > > > > > > > > you
> > > > > > > > > > > > > control, and if you are able to control what
> > > > > > > > > > > > > code
> is
> > > > > getting
> > > > > > > > > > executed.
> > > > > > > > > > > > > Loading in 3rd party, unverified scripts into
> > > > > > > > > > > > > your
> > > > Cordova
> > > > > > view
> > > > > > > > is
> > > > > > > > > a
> > > > > > > > > > > big
> > > > > > > > > > > > > "no-no" for security reasons, and could get
> > > > > > > > > > > > > your
> app
> > > > > delisted
> > > > > > > (or
> > > > > > > > > > > > rejected).
> > > > > > > > > > > > >
> > > > > > > > > > > > > If anyone else has more information on the
> > > > > > > > > > > > > topic,
> I'd
> > > be
> > > > > > > > interested
> > > > > > > > > > in
> > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Marc
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> While what you are saying about the policies
> stores
> > is
> > > > > true,
> > > > > > > > this
> > > > > > > > > > > > applies
> > > > > > > > > > > > >> to public stores only (as far as I can tell).
> > > > > > > > > > > > >> For
> > > > > on-premise
> > > > > > > app
> > > > > > > > > > > stores
> > > > > > > > > > > > >> this might be false because each store owner
> > > > > > > > > > > > >> need
> to
> > > set
> > > > > and
> > > > > > > > apply
> > > > > > > > > > the
> > > > > > > > > > > > >> governance for the apps. It could end on
> > > > > > > > > > > > >> horrible
> > > > results
> > > > > > due
> > > > > > > > to a
> > > > > > > > > > bad
> > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> I concur with everyone, it is possible but
> > > > > > > > > > > > >> awful
> > > design
> > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > >>
> > > > > > > > > > > > >>> I don't have the details in hand at the
> > > > > > > > > > > > >>> moment,
> > but I
> > > > > > > remember
> > > > > > > > > > seeing
> > > > > > > > > > > > in
> > > > > > > > > > > > >>> more than one application store last year
> policies
> > > > being
> > > > > > > > changed
> > > > > > > > > to
> > > > > > > > > > > > >>> disallow remote code to run in an
> > > > > > > > > > > > >>> application
> > > > on-demand.
> > > > > > Such
> > > > > > > > > rules
> > > > > > > > > > > > >> *could*
> > > > > > > > > > > > >>> as well be applied to Cordova apps that load
> remote
> > > > > content
> > > > > > > > > > > considered
> > > > > > > > > > > > as
> > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not only
> > > > > > > > > > > > >>> a
> > > security
> > > > > > > concern
> > > > > > > > > per
> > > > > > > > > > > se,
> > > > > > > > > > > > >> but
> > > > > > > > > > > > >>> also an imposed limitation on the stores
> > > > > > > > > > > > >>> (which
> > were
> > > > > > > obviously
> > > > > > > > > > > created
> > > > > > > > > > > > >> for
> > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> Not even mentioning the issues with
> > > > > > > > > > > > >>> providing the
> > > right
> > > > > > > > > cordova.js
> > > > > > > > > > > > >> version
> > > > > > > > > > > > >>> from the remote server not really knowing
> > > > > > > > > > > > >>> where
> the
> > > > > request
> > > > > > > > came
> > > > > > > > > > > from.
> > > > > > > > > > > > >>> However, it's good to note too that aside
> Phonegap
> > > > > > Developer
> > > > > > > > App,
> > > > > > > > > > > there
> > > > > > > > > > > > >> is
> > > > > > > > > > > > >>> also Adobe Hydration that does the exact
> > > > > > > > > > > > >>> same
> thing
> > > as
> > > > a
> > > > > > side
> > > > > > > > > > service
> > > > > > > > > > > > to
> > > > > > > > > > > > >>> Phonegap Build. I don't know if they've come
> > > > > > > > > > > > >>> into
> > any
> > > > of
> > > > > > the
> > > > > > > > > issues
> > > > > > > > > > > > >>> mentioned, and I haven't even heard of it
> > > > > > > > > > > > >>> being
> > used
> > > in
> > > > > > > > > production.
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > >:
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>> I agree with all your statements Marcel. I
> > > > > > > > > > > > >>>> use
> > this
> > > > > > approach
> > > > > > > > > > > > frequently
> > > > > > > > > > > > >>> in
> > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > >>>> Ultimately App Store policies decide what
> > > > > > > > > > > > >>>> can
> and
> > > > cannot
> > > > > > be
> > > > > > > > > done.
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>> Regarding security, there is nothing I can
> > > > > > > > > > > > >>>> do
> > with a
> > > > > > remote
> > > > > > > > page
> > > > > > > > > > > that
> > > > > > > > > > > > I
> > > > > > > > > > > > >>>> can't already do inside my app. It's an
> > > > > > > > > > > > >>>> issue of
> > > > trust.
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > shazron@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>> I agree that it is not recommended, but
> > > > > > > > > > > > >>>>> it's
> > > > possible.
> > > > > I
> > > > > > > > delved
> > > > > > > > > > > into
> > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > >>>>>
> > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>> The PhoneGap Developer App is an example
> > > > > > > > > > > > >>>>> of how
> > > this
> > > > is
> > > > > > > > working
> > > > > > > > > > at
> > > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> > proxying
> > > to
> > > > > get
> > > > > > > > > around
> > > > > > > > > > > the
> > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
> Kinard <
> > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > >>>>>> I've been getting occasional questions
> > > > > > > > > > > > >>>>>> about
> > users
> > > > > > trying
> > > > > > > to
> > > > > > > > > use
> > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with
> > Cordova
> > > > (in
> > > > > > the
> > > > > > > > > > webview,
> > > > > > > > > > > > >> not
> > > > > > > > > > > > >>>> InAppBrowser), and still expecting to have
> access
> > to
> > > > the
> > > > > > > > plugin
> > > > > > > > > > APIs
> > > > > > > > > > > > >>>> (camera is a popular one). My response so
> > > > > > > > > > > > >>>> far
> is:
> > > > "This
> > > > > is
> > > > > > > an
> > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > >>>> configuration, because Cordova was not
> > > > > > > > > > > > >>>> designed
> > for
> > > > this
> > > > > > and
> > > > > > > > the
> > > > > > > > > > > > >>> community
> > > > > > > > > > > > >>>> does no testing of this configuration.
> > > > > > > > > > > > >>>> While it
> > can
> > > > work
> > > > > > in
> > > > > > > > some
> > > > > > > > > > > > >>>> circumstances, it is not recommended nor
> > supported."
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> My definition of "unsupported" is not
> > > > > > > > > > > > >>>>>> that it
> is
> > > > > > > incapable,
> > > > > > > > > but
> > > > > > > > > > > that
> > > > > > > > > > > > >>> we
> > > > > > > > > > > > >>>> don't claim that it is supposed to work,
> > > > > > > > > > > > >>>> and
> more
> > > > > > > importantly,
> > > > > > > > > we
> > > > > > > > > > > > won't
> > > > > > > > > > > > >>>> actively fix user-submitted defects on this
> topic.
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> The main concern I have on this is same
> > > > > > > > > > > > >>>>>> origin
> > > > policy,
> > > > > > and
> > > > > > > > > > > matching
> > > > > > > > > > > > >>> the
> > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > locally-installed
> > > > > > native
> > > > > > > > > > Cordova
> > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on
> > > > > > > > > > > > >>>>>> this, or
> do
> > > you
> > > > > > > agree?
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> If you agree, what would you think of a
> > > > > > > > > > > > >>>>>> blurb
> in
> > > > > > > > cordova-docs
> > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> --
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> * www.pontoget.com.br
> > > > > > > > > > > > >>> <http://www.pontoget.com/>
> > > > > > > > > > > > >>
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead
> > > > > > > > > > > Developer - MobDev. | Wizcorp Inc. <
> > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > ------------------------------ TECH . GAMING .
> > > > > > > > > > > OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> |
> > > > > Website
> > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > https://twitter.com/Wizcorp>
> > > > > > |
> > > > > > > > > > > Facebook
> > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Carlos Santana
> > > > > > > <cs...@gmail.com>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > <http://www.wizcorp.jp/>Ally Ogilvie Lead Developer -
> > > > > > MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > ------------------------------ TECH . GAMING . OPEN-SOURCE
> > > > > > WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > <http://www.wizcorp.jp/> | Twitter
> > > > > > <https://twitter.com/Wizcorp>
> |
> > > > > > Facebook
> > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Carlos Santana
> > > > <cs...@gmail.com>
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <cs...@gmail.com>
> >
>
>
>
> --
> Timothy Kim
>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
No apologies! It definitely *is* for dev authoring workflow currently …but
given the #'s I think it could be suitable for production runtime. (Sorry I
wasn't clear on that.)
On Thu, Aug 21, 2014 at 11:35 AM, Tim Kim <ti...@gmail.com> wrote:
> >
> > I wonder how it solves the problems of serving the
> > correct version of cordova.js and cordova_plugin.js depending on the
> > version of the native code that is installed on the different versions of
> > the mobile App in production.
>
>
> When you connect to the IP that's being served by connect-phonegap, the
> client will send its device.version and device.platform to the server. On
> the server's side, there's a res folder within connect-phonegap with all
> the various version and platforms of the cordova.js, cordova_plugins.js and
> plugins/.
>
>
> On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
>
> > Sorry Brian, I thought it was a development time tool to allow for fast
> > development cycle associated with PhoneGap Developer App.
> >
> > I guess they can use it and run the connect-phonegap in a production
> > node-js backend system, I wonder how it solves the problems of serving
> the
> > correct version of cordova.js and cordova_plugin.js depending on the
> > version of the native code that is installed on the different versions of
> > the mobile App in production.
> >
> >
> >
> >
> > On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> >
> > > totally, though connect-phonegap *could* be considered production
> worthy
> > > (it is being used significantly by the pg downstream community)
> > >
> > >
> > > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <csantana23@gmail.com
> >
> > > wrote:
> > >
> > > > Brain I think that's OK at development time everything is fair game
> :-)
> > > >
> > > > The problem is developers doing stupid things like loading a
> cordova.js
> > > > from a place they don't know for a in production app being used by
> end
> > > > users, that's just kamikaze
> > > >
> > > > That's OK if they want to shoot themselves in the foot, but then
> don't
> > > come
> > > > crying to JIRA claiming that is a problem with Cordova project.
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> > > >
> > > > > phonegap-connect serves up remote cordova.js (negotiates the
> > requestor
> > > to
> > > > > send the right file)
> > > > >
> > > > > no deaths yet!
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <aogilvie@wizcorp.jp
> >
> > > > wrote:
> > > > >
> > > > > > That's a good difference to point out.
> > > > > >
> > > > > > >My personal position is that scenarios where developer is in
> > control
> > > > and
> > > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a
> > valid
> > > > > > >scenario for Cordova
> > > > > >
> > > > > > I agree, because as cordova.js and cordovaLib are version linked,
> > it
> > > > > makes
> > > > > > sense that once an index.html is pulled in, it's cordova.js to
> load
> > > is
> > > > > > already in the client application.
> > > > > > Loading an external cordova.js would be suicidal. So we save the
> > file
> > > > > > locally to write into it's <HEAD> our known path to codova.js
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > > csantana23@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > I want to make clarification there is a notable difference
> > between
> > > > > > loading
> > > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> > > > > downloaded
> > > > > > > webapp to be loaded from a *local* HTML.
> > > > > > >
> > > > > > > IBM Worklight has a feature "Direct update"
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > > > > >
> > > > > > > The scenario is a download and local load of html/cordova.
> > Similar
> > > > > > scenario
> > > > > > > as spellcaster and appmobi
> > > > > > > For this scenario there is control from app developer of the
> code
> > > > being
> > > > > > > loaded.
> > > > > > >
> > > > > > > What Marcel is asking is a *non-local* load of arbitrary
> > html/code
> > > > not
> > > > > > > control by developer, developer loading a free html page own
> > > someone
> > > > > else
> > > > > > > and doing kind of a "document.location.replace('
> > > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > > >
> > > > > > > My personal position is that scenarios where developer is in
> > > control
> > > > > and
> > > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a
> > valid
> > > > > > > scenario for Cordova. loading a random cordova.js directly
> from a
> > > > > > non-local
> > > > > > > random place not guarantee to be supported.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io>
> > wrote:
> > > > > > >
> > > > > > > > Very much so. So much so, I think we should even consider
> such
> > > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > > agrieve@chromium.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I think this is a very desired plugin that many end up
> > > > re-writing,
> > > > > > and
> > > > > > > > it's
> > > > > > > > > far better than setting the content src directly to a
> remote
> > > URL.
> > > > > > > > >
> > > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > > mmocny@chromium.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Make it available Ally, of course that sounds
> interesting!
> > > > > > > > > >
> > > > > > > > > > I'm sure a few of us have suggestions for improvements
> too.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > > aogilvie@wizcorp.jp
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > > >
> > > > > > > > > > > For some games that I produce where the entire game is
> > > served
> > > > > to
> > > > > > > the
> > > > > > > > > > client
> > > > > > > > > > > (requires no .html in the application) we have a tool
> > > called
> > > > > > > > > > "spellcaster".
> > > > > > > > > > > Spellcaster handles internet connectivity, localisation
> > and
> > > > > > Cordova
> > > > > > > > > code
> > > > > > > > > > > injection. It works as follows:
> > > > > > > > > > >
> > > > > > > > > > > One simply adds an application URL to Cordova's
> > config.xml
> > > in
> > > > > > > > <content
> > > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > > >
> > > > > > > > > > > - Spellcaster will check for an active internet
> > connection.
> > > > If
> > > > > > one
> > > > > > > is
> > > > > > > > > not
> > > > > > > > > > > found Spellcaster will continue retrying at a set
> > interval.
> > > > > > > > > > > - Spellcaster downloads the content of the provided
> > > > application
> > > > > > URL
> > > > > > > > and
> > > > > > > > > > > stores to application cache (overriding any existing
> > > loader).
> > > > > > > > > > > - Spellcaster injects Cordova script tags just after
> the
> > > > <head>
> > > > > > > tag.
> > > > > > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > > > > > >
> > > > > > > > > > > *loader is your html to load.
> > > > > > > > > > >
> > > > > > > > > > > Are people still in need of such a solution? I could
> have
> > > > this
> > > > > > code
> > > > > > > > > made
> > > > > > > > > > > public it just needs a public sanitise check.
> Spellcaster
> > > > > > supports
> > > > > > > > iOS
> > > > > > > > > > and
> > > > > > > > > > > Android.
> > > > > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > > super.init();
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void init() {
> > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > > > > > ...
> > > > > > > > > > >
> > > > > > > > > > > @Override
> > > > > > > > > > > public void init(org.apache.cordova.CordovaWebView
> > webView,
> > > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > > webViewClient,
> > > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > > webChromeClient)
> > > > > > > > {
> > > > > > > > > > > super.init(webView, webViewClient,
> webChromeClient);
> > > > > > > > > > >
> > > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> > webView);
> > > > > > > > > > > ...
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > > purplecabbage@gmail.com
> > > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > > >
> > > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > > >
> > > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > > mhweiner234@gmail.com
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > It's technically possible, and even (arguably)
> legal
> > > > > > according
> > > > > > > to
> > > > > > > > > > > Apple's
> > > > > > > > > > > > > documentation, depending on the nature of the code
> > and
> > > > how
> > > > > > it's
> > > > > > > > > > > > implemented:
> > > > > > > > > > > > >
> > > > > > > > > > > > > 3.3.2 An Application may not download or install
> > > > executable
> > > > > > > code.
> > > > > > > > > > > > > Interpreted code may only be used in an Application
> > if
> > > > all
> > > > > > > > scripts,
> > > > > > > > > > > code
> > > > > > > > > > > > > and interpreters are packaged in the Application
> and
> > > not
> > > > > > > > > downloaded.
> > > > > > > > > > > The
> > > > > > > > > > > > > only exception to the foregoing is scripts and code
> > > > > > downloaded
> > > > > > > > and
> > > > > > > > > > run
> > > > > > > > > > > by
> > > > > > > > > > > > > Apple's built-in WebKit framework, provided that
> such
> > > > > scripts
> > > > > > > and
> > > > > > > > > > code
> > > > > > > > > > > do
> > > > > > > > > > > > > not change the primary purpose of the Application
> by
> > > > > > providing
> > > > > > > > > > features
> > > > > > > > > > > > or
> > > > > > > > > > > > > functionality that are inconsistent with the
> intended
> > > and
> > > > > > > > > advertised
> > > > > > > > > > > > > purpose of the Application as submitted to the App
> > > Store.
> > > > > > > > > > > > >
> > > > > > > > > > > > > However, I would only do so if the code is coming
> > from
> > > a
> > > > > > server
> > > > > > > > > that
> > > > > > > > > > > you
> > > > > > > > > > > > > control, and if you are able to control what code
> is
> > > > > getting
> > > > > > > > > > executed.
> > > > > > > > > > > > > Loading in 3rd party, unverified scripts into your
> > > > Cordova
> > > > > > view
> > > > > > > > is
> > > > > > > > > a
> > > > > > > > > > > big
> > > > > > > > > > > > > "no-no" for security reasons, and could get your
> app
> > > > > delisted
> > > > > > > (or
> > > > > > > > > > > > rejected).
> > > > > > > > > > > > >
> > > > > > > > > > > > > If anyone else has more information on the topic,
> I'd
> > > be
> > > > > > > > interested
> > > > > > > > > > in
> > > > > > > > > > > > > hearing it.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Marc
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > > > > sosah.victor@gmail.com
> > > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> While what you are saying about the policies
> stores
> > is
> > > > > true,
> > > > > > > > this
> > > > > > > > > > > > applies
> > > > > > > > > > > > >> to public stores only (as far as I can tell). For
> > > > > on-premise
> > > > > > > app
> > > > > > > > > > > stores
> > > > > > > > > > > > >> this might be false because each store owner need
> to
> > > set
> > > > > and
> > > > > > > > apply
> > > > > > > > > > the
> > > > > > > > > > > > >> governance for the apps. It could end on horrible
> > > > results
> > > > > > due
> > > > > > > > to a
> > > > > > > > > > bad
> > > > > > > > > > > > >> implementation.
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> I concur with everyone, it is possible but awful
> > > design
> > > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > > > >> wrote:
> > > > > > > > > > > > >>
> > > > > > > > > > > > >>> I don't have the details in hand at the moment,
> > but I
> > > > > > > remember
> > > > > > > > > > seeing
> > > > > > > > > > > > in
> > > > > > > > > > > > >>> more than one application store last year
> policies
> > > > being
> > > > > > > > changed
> > > > > > > > > to
> > > > > > > > > > > > >>> disallow remote code to run in an application
> > > > on-demand.
> > > > > > Such
> > > > > > > > > rules
> > > > > > > > > > > > >> *could*
> > > > > > > > > > > > >>> as well be applied to Cordova apps that load
> remote
> > > > > content
> > > > > > > > > > > considered
> > > > > > > > > > > > as
> > > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not only a
> > > security
> > > > > > > concern
> > > > > > > > > per
> > > > > > > > > > > se,
> > > > > > > > > > > > >> but
> > > > > > > > > > > > >>> also an imposed limitation on the stores (which
> > were
> > > > > > > obviously
> > > > > > > > > > > created
> > > > > > > > > > > > >> for
> > > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> Not even mentioning the issues with providing the
> > > right
> > > > > > > > > cordova.js
> > > > > > > > > > > > >> version
> > > > > > > > > > > > >>> from the remote server not really knowing where
> the
> > > > > request
> > > > > > > > came
> > > > > > > > > > > from.
> > > > > > > > > > > > >>> However, it's good to note too that aside
> Phonegap
> > > > > > Developer
> > > > > > > > App,
> > > > > > > > > > > there
> > > > > > > > > > > > >> is
> > > > > > > > > > > > >>> also Adobe Hydration that does the exact same
> thing
> > > as
> > > > a
> > > > > > side
> > > > > > > > > > service
> > > > > > > > > > > > to
> > > > > > > > > > > > >>> Phonegap Build. I don't know if they've come into
> > any
> > > > of
> > > > > > the
> > > > > > > > > issues
> > > > > > > > > > > > >>> mentioned, and I haven't even heard of it being
> > used
> > > in
> > > > > > > > > production.
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > > purplecabbage@gmail.com
> > > > > > > > > > >:
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>> I agree with all your statements Marcel. I use
> > this
> > > > > > approach
> > > > > > > > > > > > frequently
> > > > > > > > > > > > >>> in
> > > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > > >>>> Ultimately App Store policies decide what can
> and
> > > > cannot
> > > > > > be
> > > > > > > > > done.
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>> Regarding security, there is nothing I can do
> > with a
> > > > > > remote
> > > > > > > > page
> > > > > > > > > > > that
> > > > > > > > > > > > I
> > > > > > > > > > > > >>>> can't already do inside my app. It's an issue of
> > > > trust.
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > > >>>>
> > > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > > shazron@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>> I agree that it is not recommended, but it's
> > > > possible.
> > > > > I
> > > > > > > > delved
> > > > > > > > > > > into
> > > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > > >>>>>
> > > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>> The PhoneGap Developer App is an example of how
> > > this
> > > > is
> > > > > > > > working
> > > > > > > > > > at
> > > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> > proxying
> > > to
> > > > > get
> > > > > > > > > around
> > > > > > > > > > > the
> > > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > > >>>>>
> > > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel
> Kinard <
> > > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > > >>>>>> I've been getting occasional questions about
> > users
> > > > > > trying
> > > > > > > to
> > > > > > > > > use
> > > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with
> > Cordova
> > > > (in
> > > > > > the
> > > > > > > > > > webview,
> > > > > > > > > > > > >> not
> > > > > > > > > > > > >>>> InAppBrowser), and still expecting to have
> access
> > to
> > > > the
> > > > > > > > plugin
> > > > > > > > > > APIs
> > > > > > > > > > > > >>>> (camera is a popular one). My response so far
> is:
> > > > "This
> > > > > is
> > > > > > > an
> > > > > > > > > > > > >> unsupported
> > > > > > > > > > > > >>>> configuration, because Cordova was not designed
> > for
> > > > this
> > > > > > and
> > > > > > > > the
> > > > > > > > > > > > >>> community
> > > > > > > > > > > > >>>> does no testing of this configuration. While it
> > can
> > > > work
> > > > > > in
> > > > > > > > some
> > > > > > > > > > > > >>>> circumstances, it is not recommended nor
> > supported."
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> My definition of "unsupported" is not that it
> is
> > > > > > > incapable,
> > > > > > > > > but
> > > > > > > > > > > that
> > > > > > > > > > > > >>> we
> > > > > > > > > > > > >>>> don't claim that it is supposed to work, and
> more
> > > > > > > importantly,
> > > > > > > > > we
> > > > > > > > > > > > won't
> > > > > > > > > > > > >>>> actively fix user-submitted defects on this
> topic.
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> The main concern I have on this is same origin
> > > > policy,
> > > > > > and
> > > > > > > > > > > matching
> > > > > > > > > > > > >>> the
> > > > > > > > > > > > >>>> remotely-served cordova.js with the
> > > locally-installed
> > > > > > native
> > > > > > > > > > Cordova
> > > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or
> do
> > > you
> > > > > > > agree?
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> If you agree, what would you think of a blurb
> in
> > > > > > > > cordova-docs
> > > > > > > > > > > > >>> somewhere
> > > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > > >>>>>>
> > > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> --
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > > >>>
> > > > > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > > > > > >>
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> > > > > http://www.wizcorp.jp/>
> > > > > > > > > > > ------------------------------
> > > > > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448
> |
> > > > > Website
> > > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > > https://twitter.com/Wizcorp>
> > > > > > |
> > > > > > > > > > > Facebook
> > > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Carlos Santana
> > > > > > > <cs...@gmail.com>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > ------------------------------
> > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp>
> |
> > > > > > Facebook
> > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Carlos Santana
> > > > <cs...@gmail.com>
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <cs...@gmail.com>
> >
>
>
>
> --
> Timothy Kim
>
Re: remotely loaded pages
Posted by Tim Kim <ti...@gmail.com>.
>
> I wonder how it solves the problems of serving the
> correct version of cordova.js and cordova_plugin.js depending on the
> version of the native code that is installed on the different versions of
> the mobile App in production.
When you connect to the IP that's being served by connect-phonegap, the
client will send its device.version and device.platform to the server. On
the server's side, there's a res folder within connect-phonegap with all
the various version and platforms of the cordova.js, cordova_plugins.js and
plugins/.
On 21 August 2014 11:20, Carlos Santana <cs...@gmail.com> wrote:
> Sorry Brian, I thought it was a development time tool to allow for fast
> development cycle associated with PhoneGap Developer App.
>
> I guess they can use it and run the connect-phonegap in a production
> node-js backend system, I wonder how it solves the problems of serving the
> correct version of cordova.js and cordova_plugin.js depending on the
> version of the native code that is installed on the different versions of
> the mobile App in production.
>
>
>
>
> On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
>
> > totally, though connect-phonegap *could* be considered production worthy
> > (it is being used significantly by the pg downstream community)
> >
> >
> > On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <cs...@gmail.com>
> > wrote:
> >
> > > Brain I think that's OK at development time everything is fair game :-)
> > >
> > > The problem is developers doing stupid things like loading a cordova.js
> > > from a place they don't know for a in production app being used by end
> > > users, that's just kamikaze
> > >
> > > That's OK if they want to shoot themselves in the foot, but then don't
> > come
> > > crying to JIRA claiming that is a problem with Cordova project.
> > >
> > >
> > > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> > >
> > > > phonegap-connect serves up remote cordova.js (negotiates the
> requestor
> > to
> > > > send the right file)
> > > >
> > > > no deaths yet!
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <ao...@wizcorp.jp>
> > > wrote:
> > > >
> > > > > That's a good difference to point out.
> > > > >
> > > > > >My personal position is that scenarios where developer is in
> control
> > > and
> > > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a
> valid
> > > > > >scenario for Cordova
> > > > >
> > > > > I agree, because as cordova.js and cordovaLib are version linked,
> it
> > > > makes
> > > > > sense that once an index.html is pulled in, it's cordova.js to load
> > is
> > > > > already in the client application.
> > > > > Loading an external cordova.js would be suicidal. So we save the
> file
> > > > > locally to write into it's <HEAD> our known path to codova.js
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> > csantana23@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I want to make clarification there is a notable difference
> between
> > > > > loading
> > > > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> > > > downloaded
> > > > > > webapp to be loaded from a *local* HTML.
> > > > > >
> > > > > > IBM Worklight has a feature "Direct update"
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > > > >
> > > > > > The scenario is a download and local load of html/cordova.
> Similar
> > > > > scenario
> > > > > > as spellcaster and appmobi
> > > > > > For this scenario there is control from app developer of the code
> > > being
> > > > > > loaded.
> > > > > >
> > > > > > What Marcel is asking is a *non-local* load of arbitrary
> html/code
> > > not
> > > > > > control by developer, developer loading a free html page own
> > someone
> > > > else
> > > > > > and doing kind of a "document.location.replace('
> > > > > > http://somerandom.com/thisotherguy.html')"
> > > > > >
> > > > > > My personal position is that scenarios where developer is in
> > control
> > > > and
> > > > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a
> valid
> > > > > > scenario for Cordova. loading a random cordova.js directly from a
> > > > > non-local
> > > > > > random place not guarantee to be supported.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io>
> wrote:
> > > > > >
> > > > > > > Very much so. So much so, I think we should even consider such
> > > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > > agrieve@chromium.org
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I think this is a very desired plugin that many end up
> > > re-writing,
> > > > > and
> > > > > > > it's
> > > > > > > > far better than setting the content src directly to a remote
> > URL.
> > > > > > > >
> > > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > > mmocny@chromium.org
> > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Make it available Ally, of course that sounds interesting!
> > > > > > > > >
> > > > > > > > > I'm sure a few of us have suggestions for improvements too.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > > aogilvie@wizcorp.jp
> > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > > >
> > > > > > > > > > For some games that I produce where the entire game is
> > served
> > > > to
> > > > > > the
> > > > > > > > > client
> > > > > > > > > > (requires no .html in the application) we have a tool
> > called
> > > > > > > > > "spellcaster".
> > > > > > > > > > Spellcaster handles internet connectivity, localisation
> and
> > > > > Cordova
> > > > > > > > code
> > > > > > > > > > injection. It works as follows:
> > > > > > > > > >
> > > > > > > > > > One simply adds an application URL to Cordova's
> config.xml
> > in
> > > > > > > <content
> > > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > > >
> > > > > > > > > > - Spellcaster will check for an active internet
> connection.
> > > If
> > > > > one
> > > > > > is
> > > > > > > > not
> > > > > > > > > > found Spellcaster will continue retrying at a set
> interval.
> > > > > > > > > > - Spellcaster downloads the content of the provided
> > > application
> > > > > URL
> > > > > > > and
> > > > > > > > > > stores to application cache (overriding any existing
> > loader).
> > > > > > > > > > - Spellcaster injects Cordova script tags just after the
> > > <head>
> > > > > > tag.
> > > > > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > > > > >
> > > > > > > > > > *loader is your html to load.
> > > > > > > > > >
> > > > > > > > > > Are people still in need of such a solution? I could have
> > > this
> > > > > code
> > > > > > > > made
> > > > > > > > > > public it just needs a public sanitise check. Spellcaster
> > > > > supports
> > > > > > > iOS
> > > > > > > > > and
> > > > > > > > > > Android.
> > > > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > > super.init();
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void init() {
> > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > > > > ...
> > > > > > > > > >
> > > > > > > > > > @Override
> > > > > > > > > > public void init(org.apache.cordova.CordovaWebView
> webView,
> > > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > > webViewClient,
> > > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > > webChromeClient)
> > > > > > > {
> > > > > > > > > > super.init(webView, webViewClient, webChromeClient);
> > > > > > > > > >
> > > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > > spellcaster.init(this, Config.getStartUrl(),
> webView);
> > > > > > > > > > ...
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > > purplecabbage@gmail.com
> > > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > > >
> > > > > > > > > > > Sent from my iPhone
> > > > > > > > > > >
> > > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > > mhweiner234@gmail.com
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > It's technically possible, and even (arguably) legal
> > > > > according
> > > > > > to
> > > > > > > > > > Apple's
> > > > > > > > > > > > documentation, depending on the nature of the code
> and
> > > how
> > > > > it's
> > > > > > > > > > > implemented:
> > > > > > > > > > > >
> > > > > > > > > > > > 3.3.2 An Application may not download or install
> > > executable
> > > > > > code.
> > > > > > > > > > > > Interpreted code may only be used in an Application
> if
> > > all
> > > > > > > scripts,
> > > > > > > > > > code
> > > > > > > > > > > > and interpreters are packaged in the Application and
> > not
> > > > > > > > downloaded.
> > > > > > > > > > The
> > > > > > > > > > > > only exception to the foregoing is scripts and code
> > > > > downloaded
> > > > > > > and
> > > > > > > > > run
> > > > > > > > > > by
> > > > > > > > > > > > Apple's built-in WebKit framework, provided that such
> > > > scripts
> > > > > > and
> > > > > > > > > code
> > > > > > > > > > do
> > > > > > > > > > > > not change the primary purpose of the Application by
> > > > > providing
> > > > > > > > > features
> > > > > > > > > > > or
> > > > > > > > > > > > functionality that are inconsistent with the intended
> > and
> > > > > > > > advertised
> > > > > > > > > > > > purpose of the Application as submitted to the App
> > Store.
> > > > > > > > > > > >
> > > > > > > > > > > > However, I would only do so if the code is coming
> from
> > a
> > > > > server
> > > > > > > > that
> > > > > > > > > > you
> > > > > > > > > > > > control, and if you are able to control what code is
> > > > getting
> > > > > > > > > executed.
> > > > > > > > > > > > Loading in 3rd party, unverified scripts into your
> > > Cordova
> > > > > view
> > > > > > > is
> > > > > > > > a
> > > > > > > > > > big
> > > > > > > > > > > > "no-no" for security reasons, and could get your app
> > > > delisted
> > > > > > (or
> > > > > > > > > > > rejected).
> > > > > > > > > > > >
> > > > > > > > > > > > If anyone else has more information on the topic, I'd
> > be
> > > > > > > interested
> > > > > > > > > in
> > > > > > > > > > > > hearing it.
> > > > > > > > > > > >
> > > > > > > > > > > > Marc
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > > > sosah.victor@gmail.com
> > > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > >>
> > > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > > >>
> > > > > > > > > > > >> While what you are saying about the policies stores
> is
> > > > true,
> > > > > > > this
> > > > > > > > > > > applies
> > > > > > > > > > > >> to public stores only (as far as I can tell). For
> > > > on-premise
> > > > > > app
> > > > > > > > > > stores
> > > > > > > > > > > >> this might be false because each store owner need to
> > set
> > > > and
> > > > > > > apply
> > > > > > > > > the
> > > > > > > > > > > >> governance for the apps. It could end on horrible
> > > results
> > > > > due
> > > > > > > to a
> > > > > > > > > bad
> > > > > > > > > > > >> implementation.
> > > > > > > > > > > >>
> > > > > > > > > > > >> I concur with everyone, it is possible but awful
> > design
> > > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > > >> wrote:
> > > > > > > > > > > >>
> > > > > > > > > > > >>> I don't have the details in hand at the moment,
> but I
> > > > > > remember
> > > > > > > > > seeing
> > > > > > > > > > > in
> > > > > > > > > > > >>> more than one application store last year policies
> > > being
> > > > > > > changed
> > > > > > > > to
> > > > > > > > > > > >>> disallow remote code to run in an application
> > > on-demand.
> > > > > Such
> > > > > > > > rules
> > > > > > > > > > > >> *could*
> > > > > > > > > > > >>> as well be applied to Cordova apps that load remote
> > > > content
> > > > > > > > > > considered
> > > > > > > > > > > as
> > > > > > > > > > > >>> code (HTML isn't, but JS is). It's not only a
> > security
> > > > > > concern
> > > > > > > > per
> > > > > > > > > > se,
> > > > > > > > > > > >> but
> > > > > > > > > > > >>> also an imposed limitation on the stores (which
> were
> > > > > > obviously
> > > > > > > > > > created
> > > > > > > > > > > >> for
> > > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> Not even mentioning the issues with providing the
> > right
> > > > > > > > cordova.js
> > > > > > > > > > > >> version
> > > > > > > > > > > >>> from the remote server not really knowing where the
> > > > request
> > > > > > > came
> > > > > > > > > > from.
> > > > > > > > > > > >>> However, it's good to note too that aside Phonegap
> > > > > Developer
> > > > > > > App,
> > > > > > > > > > there
> > > > > > > > > > > >> is
> > > > > > > > > > > >>> also Adobe Hydration that does the exact same thing
> > as
> > > a
> > > > > side
> > > > > > > > > service
> > > > > > > > > > > to
> > > > > > > > > > > >>> Phonegap Build. I don't know if they've come into
> any
> > > of
> > > > > the
> > > > > > > > issues
> > > > > > > > > > > >>> mentioned, and I haven't even heard of it being
> used
> > in
> > > > > > > > production.
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > > purplecabbage@gmail.com
> > > > > > > > > >:
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>> I agree with all your statements Marcel. I use
> this
> > > > > approach
> > > > > > > > > > > frequently
> > > > > > > > > > > >>> in
> > > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > > >>>> Ultimately App Store policies decide what can and
> > > cannot
> > > > > be
> > > > > > > > done.
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>> Regarding security, there is nothing I can do
> with a
> > > > > remote
> > > > > > > page
> > > > > > > > > > that
> > > > > > > > > > > I
> > > > > > > > > > > >>>> can't already do inside my app. It's an issue of
> > > trust.
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > > >>>>
> > > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > > shazron@gmail.com>
> > > > > > > > wrote:
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>> I agree that it is not recommended, but it's
> > > possible.
> > > > I
> > > > > > > delved
> > > > > > > > > > into
> > > > > > > > > > > >>>>> this question here:
> > > > > > > > > > > >>>>>
> > > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>> The PhoneGap Developer App is an example of how
> > this
> > > is
> > > > > > > working
> > > > > > > > > at
> > > > > > > > > > > >>>>> http://app.phonegap.com but they do some
> proxying
> > to
> > > > get
> > > > > > > > around
> > > > > > > > > > the
> > > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > > >>>>>
> > > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > > >>>> wrote:
> > > > > > > > > > > >>>>>> I've been getting occasional questions about
> users
> > > > > trying
> > > > > > to
> > > > > > > > use
> > > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with
> Cordova
> > > (in
> > > > > the
> > > > > > > > > webview,
> > > > > > > > > > > >> not
> > > > > > > > > > > >>>> InAppBrowser), and still expecting to have access
> to
> > > the
> > > > > > > plugin
> > > > > > > > > APIs
> > > > > > > > > > > >>>> (camera is a popular one). My response so far is:
> > > "This
> > > > is
> > > > > > an
> > > > > > > > > > > >> unsupported
> > > > > > > > > > > >>>> configuration, because Cordova was not designed
> for
> > > this
> > > > > and
> > > > > > > the
> > > > > > > > > > > >>> community
> > > > > > > > > > > >>>> does no testing of this configuration. While it
> can
> > > work
> > > > > in
> > > > > > > some
> > > > > > > > > > > >>>> circumstances, it is not recommended nor
> supported."
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > > > > > incapable,
> > > > > > > > but
> > > > > > > > > > that
> > > > > > > > > > > >>> we
> > > > > > > > > > > >>>> don't claim that it is supposed to work, and more
> > > > > > importantly,
> > > > > > > > we
> > > > > > > > > > > won't
> > > > > > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> The main concern I have on this is same origin
> > > policy,
> > > > > and
> > > > > > > > > > matching
> > > > > > > > > > > >>> the
> > > > > > > > > > > >>>> remotely-served cordova.js with the
> > locally-installed
> > > > > native
> > > > > > > > > Cordova
> > > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do
> > you
> > > > > > agree?
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > > > > > cordova-docs
> > > > > > > > > > > >>> somewhere
> > > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > > >>>>>>
> > > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> --
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > > >>>
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > > >>>
> > > > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > > > > >>
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> > > > http://www.wizcorp.jp/>
> > > > > > > > > > ------------------------------
> > > > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 |
> > > > Website
> > > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > > https://twitter.com/Wizcorp>
> > > > > |
> > > > > > > > > > Facebook
> > > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Carlos Santana
> > > > > > <cs...@gmail.com>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > ------------------------------
> > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > > > Facebook
> > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > <http://www.linkedin.com/company/wizcorp>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <cs...@gmail.com>
> > >
> >
>
>
>
> --
> Carlos Santana
> <cs...@gmail.com>
>
--
Timothy Kim
Re: remotely loaded pages
Posted by Carlos Santana <cs...@gmail.com>.
Sorry Brian, I thought it was a development time tool to allow for fast
development cycle associated with PhoneGap Developer App.
I guess they can use it and run the connect-phonegap in a production
node-js backend system, I wonder how it solves the problems of serving the
correct version of cordova.js and cordova_plugin.js depending on the
version of the native code that is installed on the different versions of
the mobile App in production.
On Thu, Aug 21, 2014 at 2:06 PM, Brian LeRoux <b...@brian.io> wrote:
> totally, though connect-phonegap *could* be considered production worthy
> (it is being used significantly by the pg downstream community)
>
>
> On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <cs...@gmail.com>
> wrote:
>
> > Brain I think that's OK at development time everything is fair game :-)
> >
> > The problem is developers doing stupid things like loading a cordova.js
> > from a place they don't know for a in production app being used by end
> > users, that's just kamikaze
> >
> > That's OK if they want to shoot themselves in the foot, but then don't
> come
> > crying to JIRA claiming that is a problem with Cordova project.
> >
> >
> > On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> >
> > > phonegap-connect serves up remote cordova.js (negotiates the requestor
> to
> > > send the right file)
> > >
> > > no deaths yet!
> > >
> > >
> > >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> > >
> > >
> > > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <ao...@wizcorp.jp>
> > wrote:
> > >
> > > > That's a good difference to point out.
> > > >
> > > > >My personal position is that scenarios where developer is in control
> > and
> > > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > > >scenario for Cordova
> > > >
> > > > I agree, because as cordova.js and cordovaLib are version linked, it
> > > makes
> > > > sense that once an index.html is pulled in, it's cordova.js to load
> is
> > > > already in the client application.
> > > > Loading an external cordova.js would be suicidal. So we save the file
> > > > locally to write into it's <HEAD> our known path to codova.js
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <
> csantana23@gmail.com>
> > > > wrote:
> > > >
> > > > > I want to make clarification there is a notable difference between
> > > > loading
> > > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> > > downloaded
> > > > > webapp to be loaded from a *local* HTML.
> > > > >
> > > > > IBM Worklight has a feature "Direct update"
> > > > >
> > > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > > >
> > > > > The scenario is a download and local load of html/cordova. Similar
> > > > scenario
> > > > > as spellcaster and appmobi
> > > > > For this scenario there is control from app developer of the code
> > being
> > > > > loaded.
> > > > >
> > > > > What Marcel is asking is a *non-local* load of arbitrary html/code
> > not
> > > > > control by developer, developer loading a free html page own
> someone
> > > else
> > > > > and doing kind of a "document.location.replace('
> > > > > http://somerandom.com/thisotherguy.html')"
> > > > >
> > > > > My personal position is that scenarios where developer is in
> control
> > > and
> > > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > > > scenario for Cordova. loading a random cordova.js directly from a
> > > > non-local
> > > > > random place not guarantee to be supported.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
> > > > >
> > > > > > Very much so. So much so, I think we should even consider such
> > > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> > agrieve@chromium.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > > > I think this is a very desired plugin that many end up
> > re-writing,
> > > > and
> > > > > > it's
> > > > > > > far better than setting the content src directly to a remote
> URL.
> > > > > > >
> > > > > > > E.g. just stumbled across this yesterday:
> > > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> > mmocny@chromium.org
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > > > Make it available Ally, of course that sounds interesting!
> > > > > > > >
> > > > > > > > I'm sure a few of us have suggestions for improvements too.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > > aogilvie@wizcorp.jp
> > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > > >
> > > > > > > > > For some games that I produce where the entire game is
> served
> > > to
> > > > > the
> > > > > > > > client
> > > > > > > > > (requires no .html in the application) we have a tool
> called
> > > > > > > > "spellcaster".
> > > > > > > > > Spellcaster handles internet connectivity, localisation and
> > > > Cordova
> > > > > > > code
> > > > > > > > > injection. It works as follows:
> > > > > > > > >
> > > > > > > > > One simply adds an application URL to Cordova's config.xml
> in
> > > > > > <content
> > > > > > > > > src=YOUR_URL_HERE>
> > > > > > > > >
> > > > > > > > > - Spellcaster will check for an active internet connection.
> > If
> > > > one
> > > > > is
> > > > > > > not
> > > > > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > > > > - Spellcaster downloads the content of the provided
> > application
> > > > URL
> > > > > > and
> > > > > > > > > stores to application cache (overriding any existing
> loader).
> > > > > > > > > - Spellcaster injects Cordova script tags just after the
> > <head>
> > > > > tag.
> > > > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > > > >
> > > > > > > > > *loader is your html to load.
> > > > > > > > >
> > > > > > > > > Are people still in need of such a solution? I could have
> > this
> > > > code
> > > > > > > made
> > > > > > > > > public it just needs a public sanitise check. Spellcaster
> > > > supports
> > > > > > iOS
> > > > > > > > and
> > > > > > > > > Android.
> > > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > > super.init();
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void init() {
> > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > > @Override
> > > > > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > > webViewClient,
> > > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > > webChromeClient)
> > > > > > {
> > > > > > > > > super.init(webView, webViewClient, webChromeClient);
> > > > > > > > >
> > > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > > purplecabbage@gmail.com
> > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > It is great design for development, and netflix.
> > > > > > > > > >
> > > > > > > > > > Sent from my iPhone
> > > > > > > > > >
> > > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > > mhweiner234@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > It's technically possible, and even (arguably) legal
> > > > according
> > > > > to
> > > > > > > > > Apple's
> > > > > > > > > > > documentation, depending on the nature of the code and
> > how
> > > > it's
> > > > > > > > > > implemented:
> > > > > > > > > > >
> > > > > > > > > > > 3.3.2 An Application may not download or install
> > executable
> > > > > code.
> > > > > > > > > > > Interpreted code may only be used in an Application if
> > all
> > > > > > scripts,
> > > > > > > > > code
> > > > > > > > > > > and interpreters are packaged in the Application and
> not
> > > > > > > downloaded.
> > > > > > > > > The
> > > > > > > > > > > only exception to the foregoing is scripts and code
> > > > downloaded
> > > > > > and
> > > > > > > > run
> > > > > > > > > by
> > > > > > > > > > > Apple's built-in WebKit framework, provided that such
> > > scripts
> > > > > and
> > > > > > > > code
> > > > > > > > > do
> > > > > > > > > > > not change the primary purpose of the Application by
> > > > providing
> > > > > > > > features
> > > > > > > > > > or
> > > > > > > > > > > functionality that are inconsistent with the intended
> and
> > > > > > > advertised
> > > > > > > > > > > purpose of the Application as submitted to the App
> Store.
> > > > > > > > > > >
> > > > > > > > > > > However, I would only do so if the code is coming from
> a
> > > > server
> > > > > > > that
> > > > > > > > > you
> > > > > > > > > > > control, and if you are able to control what code is
> > > getting
> > > > > > > > executed.
> > > > > > > > > > > Loading in 3rd party, unverified scripts into your
> > Cordova
> > > > view
> > > > > > is
> > > > > > > a
> > > > > > > > > big
> > > > > > > > > > > "no-no" for security reasons, and could get your app
> > > delisted
> > > > > (or
> > > > > > > > > > rejected).
> > > > > > > > > > >
> > > > > > > > > > > If anyone else has more information on the topic, I'd
> be
> > > > > > interested
> > > > > > > > in
> > > > > > > > > > > hearing it.
> > > > > > > > > > >
> > > > > > > > > > > Marc
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > > sosah.victor@gmail.com
> > > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > >>
> > > > > > > > > > >> Hi Frederico.
> > > > > > > > > > >>
> > > > > > > > > > >> While what you are saying about the policies stores is
> > > true,
> > > > > > this
> > > > > > > > > > applies
> > > > > > > > > > >> to public stores only (as far as I can tell). For
> > > on-premise
> > > > > app
> > > > > > > > > stores
> > > > > > > > > > >> this might be false because each store owner need to
> set
> > > and
> > > > > > apply
> > > > > > > > the
> > > > > > > > > > >> governance for the apps. It could end on horrible
> > results
> > > > due
> > > > > > to a
> > > > > > > > bad
> > > > > > > > > > >> implementation.
> > > > > > > > > > >>
> > > > > > > > > > >> I concur with everyone, it is possible but awful
> design
> > > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > > >> wrote:
> > > > > > > > > > >>
> > > > > > > > > > >>> I don't have the details in hand at the moment, but I
> > > > > remember
> > > > > > > > seeing
> > > > > > > > > > in
> > > > > > > > > > >>> more than one application store last year policies
> > being
> > > > > > changed
> > > > > > > to
> > > > > > > > > > >>> disallow remote code to run in an application
> > on-demand.
> > > > Such
> > > > > > > rules
> > > > > > > > > > >> *could*
> > > > > > > > > > >>> as well be applied to Cordova apps that load remote
> > > content
> > > > > > > > > considered
> > > > > > > > > > as
> > > > > > > > > > >>> code (HTML isn't, but JS is). It's not only a
> security
> > > > > concern
> > > > > > > per
> > > > > > > > > se,
> > > > > > > > > > >> but
> > > > > > > > > > >>> also an imposed limitation on the stores (which were
> > > > > obviously
> > > > > > > > > created
> > > > > > > > > > >> for
> > > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > > >>>
> > > > > > > > > > >>> Not even mentioning the issues with providing the
> right
> > > > > > > cordova.js
> > > > > > > > > > >> version
> > > > > > > > > > >>> from the remote server not really knowing where the
> > > request
> > > > > > came
> > > > > > > > > from.
> > > > > > > > > > >>> However, it's good to note too that aside Phonegap
> > > > Developer
> > > > > > App,
> > > > > > > > > there
> > > > > > > > > > >> is
> > > > > > > > > > >>> also Adobe Hydration that does the exact same thing
> as
> > a
> > > > side
> > > > > > > > service
> > > > > > > > > > to
> > > > > > > > > > >>> Phonegap Build. I don't know if they've come into any
> > of
> > > > the
> > > > > > > issues
> > > > > > > > > > >>> mentioned, and I haven't even heard of it being used
> in
> > > > > > > production.
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > > purplecabbage@gmail.com
> > > > > > > > >:
> > > > > > > > > > >>>
> > > > > > > > > > >>>> I agree with all your statements Marcel. I use this
> > > > approach
> > > > > > > > > > frequently
> > > > > > > > > > >>> in
> > > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > > >>>> Ultimately App Store policies decide what can and
> > cannot
> > > > be
> > > > > > > done.
> > > > > > > > > > >>>>
> > > > > > > > > > >>>> Regarding security, there is nothing I can do with a
> > > > remote
> > > > > > page
> > > > > > > > > that
> > > > > > > > > > I
> > > > > > > > > > >>>> can't already do inside my app. It's an issue of
> > trust.
> > > > > > > > > > >>>>
> > > > > > > > > > >>>>
> > > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > > >>>>
> > > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > > shazron@gmail.com>
> > > > > > > wrote:
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>> I agree that it is not recommended, but it's
> > possible.
> > > I
> > > > > > delved
> > > > > > > > > into
> > > > > > > > > > >>>>> this question here:
> > > > > > > > > > >>>>>
> > > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>> The PhoneGap Developer App is an example of how
> this
> > is
> > > > > > working
> > > > > > > > at
> > > > > > > > > > >>>>> http://app.phonegap.com but they do some proxying
> to
> > > get
> > > > > > > around
> > > > > > > > > the
> > > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > > >>>>>
> > > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > > >>>> wrote:
> > > > > > > > > > >>>>>> I've been getting occasional questions about users
> > > > trying
> > > > > to
> > > > > > > use
> > > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova
> > (in
> > > > the
> > > > > > > > webview,
> > > > > > > > > > >> not
> > > > > > > > > > >>>> InAppBrowser), and still expecting to have access to
> > the
> > > > > > plugin
> > > > > > > > APIs
> > > > > > > > > > >>>> (camera is a popular one). My response so far is:
> > "This
> > > is
> > > > > an
> > > > > > > > > > >> unsupported
> > > > > > > > > > >>>> configuration, because Cordova was not designed for
> > this
> > > > and
> > > > > > the
> > > > > > > > > > >>> community
> > > > > > > > > > >>>> does no testing of this configuration. While it can
> > work
> > > > in
> > > > > > some
> > > > > > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > > > > incapable,
> > > > > > > but
> > > > > > > > > that
> > > > > > > > > > >>> we
> > > > > > > > > > >>>> don't claim that it is supposed to work, and more
> > > > > importantly,
> > > > > > > we
> > > > > > > > > > won't
> > > > > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> The main concern I have on this is same origin
> > policy,
> > > > and
> > > > > > > > > matching
> > > > > > > > > > >>> the
> > > > > > > > > > >>>> remotely-served cordova.js with the
> locally-installed
> > > > native
> > > > > > > > Cordova
> > > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do
> you
> > > > > agree?
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > > > > cordova-docs
> > > > > > > > > > >>> somewhere
> > > > > > > > > > >>>> that captures this gist?
> > > > > > > > > > >>>>>>
> > > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> --
> > > > > > > > > > >>>
> > > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > > >>>
> > > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > > >>>
> > > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > > >>>
> > > > > > > > > > >>>
> > > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > > >>>
> > > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > > > >>
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> > > http://www.wizcorp.jp/>
> > > > > > > > > ------------------------------
> > > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 |
> > > Website
> > > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > > https://twitter.com/Wizcorp>
> > > > |
> > > > > > > > > Facebook
> > > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Carlos Santana
> > > > > <cs...@gmail.com>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > ------------------------------
> > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > > Facebook
> > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > <http://www.linkedin.com/company/wizcorp>
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <cs...@gmail.com>
> >
>
--
Carlos Santana
<cs...@gmail.com>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
totally, though connect-phonegap *could* be considered production worthy
(it is being used significantly by the pg downstream community)
On Thu, Aug 21, 2014 at 10:53 AM, Carlos Santana <cs...@gmail.com>
wrote:
> Brain I think that's OK at development time everything is fair game :-)
>
> The problem is developers doing stupid things like loading a cordova.js
> from a place they don't know for a in production app being used by end
> users, that's just kamikaze
>
> That's OK if they want to shoot themselves in the foot, but then don't come
> crying to JIRA claiming that is a problem with Cordova project.
>
>
> On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
>
> > phonegap-connect serves up remote cordova.js (negotiates the requestor to
> > send the right file)
> >
> > no deaths yet!
> >
> >
> >
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
> >
> >
> > On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <ao...@wizcorp.jp>
> wrote:
> >
> > > That's a good difference to point out.
> > >
> > > >My personal position is that scenarios where developer is in control
> and
> > > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > >scenario for Cordova
> > >
> > > I agree, because as cordova.js and cordovaLib are version linked, it
> > makes
> > > sense that once an index.html is pulled in, it's cordova.js to load is
> > > already in the client application.
> > > Loading an external cordova.js would be suicidal. So we save the file
> > > locally to write into it's <HEAD> our known path to codova.js
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <cs...@gmail.com>
> > > wrote:
> > >
> > > > I want to make clarification there is a notable difference between
> > > loading
> > > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> > downloaded
> > > > webapp to be loaded from a *local* HTML.
> > > >
> > > > IBM Worklight has a feature "Direct update"
> > > >
> > > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > > >
> > > > The scenario is a download and local load of html/cordova. Similar
> > > scenario
> > > > as spellcaster and appmobi
> > > > For this scenario there is control from app developer of the code
> being
> > > > loaded.
> > > >
> > > > What Marcel is asking is a *non-local* load of arbitrary html/code
> not
> > > > control by developer, developer loading a free html page own someone
> > else
> > > > and doing kind of a "document.location.replace('
> > > > http://somerandom.com/thisotherguy.html')"
> > > >
> > > > My personal position is that scenarios where developer is in control
> > and
> > > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > > scenario for Cordova. loading a random cordova.js directly from a
> > > non-local
> > > > random place not guarantee to be supported.
> > > >
> > > >
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
> > > >
> > > > > Very much so. So much so, I think we should even consider such
> > > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <
> agrieve@chromium.org
> > >
> > > > > wrote:
> > > > >
> > > > > > I think this is a very desired plugin that many end up
> re-writing,
> > > and
> > > > > it's
> > > > > > far better than setting the content src directly to a remote URL.
> > > > > >
> > > > > > E.g. just stumbled across this yesterday:
> > > > > > http://docs.appmobi.com/index.php/live-update/
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <
> mmocny@chromium.org
> > >
> > > > > wrote:
> > > > > >
> > > > > > > Make it available Ally, of course that sounds interesting!
> > > > > > >
> > > > > > > I'm sure a few of us have suggestions for improvements too.
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> > aogilvie@wizcorp.jp
> > > >
> > > > > > wrote:
> > > > > > >
> > > > > > > > Marcel, Sorry for the late reply.
> > > > > > > >
> > > > > > > > For some games that I produce where the entire game is served
> > to
> > > > the
> > > > > > > client
> > > > > > > > (requires no .html in the application) we have a tool called
> > > > > > > "spellcaster".
> > > > > > > > Spellcaster handles internet connectivity, localisation and
> > > Cordova
> > > > > > code
> > > > > > > > injection. It works as follows:
> > > > > > > >
> > > > > > > > One simply adds an application URL to Cordova's config.xml in
> > > > > <content
> > > > > > > > src=YOUR_URL_HERE>
> > > > > > > >
> > > > > > > > - Spellcaster will check for an active internet connection.
> If
> > > one
> > > > is
> > > > > > not
> > > > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > > > - Spellcaster downloads the content of the provided
> application
> > > URL
> > > > > and
> > > > > > > > stores to application cache (overriding any existing loader).
> > > > > > > > - Spellcaster injects Cordova script tags just after the
> <head>
> > > > tag.
> > > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > > >
> > > > > > > > *loader is your html to load.
> > > > > > > >
> > > > > > > > Are people still in need of such a solution? I could have
> this
> > > code
> > > > > > made
> > > > > > > > public it just needs a public sanitise check. Spellcaster
> > > supports
> > > > > iOS
> > > > > > > and
> > > > > > > > Android.
> > > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > > didFinishLaunchingWithOptions.
> > > > > > > > For Android it requires these overrides in onCreate:
> > > > > > > >
> > > > > > > > @Override
> > > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > > super.onCreate(savedInstanceState);
> > > > > > > > super.init();
> > > > > > > >
> > > > > > > > @Override
> > > > > > > > public void init() {
> > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > > ...
> > > > > > > >
> > > > > > > > @Override
> > > > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > > > > org.apache.cordova.CordovaWebViewClient
> > > webViewClient,
> > > > > > > > org.apache.cordova.CordovaChromeClient
> > > > webChromeClient)
> > > > > {
> > > > > > > > super.init(webView, webViewClient, webChromeClient);
> > > > > > > >
> > > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > > > ...
> > > > > > > >
> > > > > > > >
> > > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > > purplecabbage@gmail.com
> > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > It is great design for development, and netflix.
> > > > > > > > >
> > > > > > > > > Sent from my iPhone
> > > > > > > > >
> > > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > > mhweiner234@gmail.com
> > > > >
> > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > It's technically possible, and even (arguably) legal
> > > according
> > > > to
> > > > > > > > Apple's
> > > > > > > > > > documentation, depending on the nature of the code and
> how
> > > it's
> > > > > > > > > implemented:
> > > > > > > > > >
> > > > > > > > > > 3.3.2 An Application may not download or install
> executable
> > > > code.
> > > > > > > > > > Interpreted code may only be used in an Application if
> all
> > > > > scripts,
> > > > > > > > code
> > > > > > > > > > and interpreters are packaged in the Application and not
> > > > > > downloaded.
> > > > > > > > The
> > > > > > > > > > only exception to the foregoing is scripts and code
> > > downloaded
> > > > > and
> > > > > > > run
> > > > > > > > by
> > > > > > > > > > Apple's built-in WebKit framework, provided that such
> > scripts
> > > > and
> > > > > > > code
> > > > > > > > do
> > > > > > > > > > not change the primary purpose of the Application by
> > > providing
> > > > > > > features
> > > > > > > > > or
> > > > > > > > > > functionality that are inconsistent with the intended and
> > > > > > advertised
> > > > > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > > > > >
> > > > > > > > > > However, I would only do so if the code is coming from a
> > > server
> > > > > > that
> > > > > > > > you
> > > > > > > > > > control, and if you are able to control what code is
> > getting
> > > > > > > executed.
> > > > > > > > > > Loading in 3rd party, unverified scripts into your
> Cordova
> > > view
> > > > > is
> > > > > > a
> > > > > > > > big
> > > > > > > > > > "no-no" for security reasons, and could get your app
> > delisted
> > > > (or
> > > > > > > > > rejected).
> > > > > > > > > >
> > > > > > > > > > If anyone else has more information on the topic, I'd be
> > > > > interested
> > > > > > > in
> > > > > > > > > > hearing it.
> > > > > > > > > >
> > > > > > > > > > Marc
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > > sosah.victor@gmail.com
> > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >>
> > > > > > > > > >> Hi Frederico.
> > > > > > > > > >>
> > > > > > > > > >> While what you are saying about the policies stores is
> > true,
> > > > > this
> > > > > > > > > applies
> > > > > > > > > >> to public stores only (as far as I can tell). For
> > on-premise
> > > > app
> > > > > > > > stores
> > > > > > > > > >> this might be false because each store owner need to set
> > and
> > > > > apply
> > > > > > > the
> > > > > > > > > >> governance for the apps. It could end on horrible
> results
> > > due
> > > > > to a
> > > > > > > bad
> > > > > > > > > >> implementation.
> > > > > > > > > >>
> > > > > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > > >> wrote:
> > > > > > > > > >>
> > > > > > > > > >>> I don't have the details in hand at the moment, but I
> > > > remember
> > > > > > > seeing
> > > > > > > > > in
> > > > > > > > > >>> more than one application store last year policies
> being
> > > > > changed
> > > > > > to
> > > > > > > > > >>> disallow remote code to run in an application
> on-demand.
> > > Such
> > > > > > rules
> > > > > > > > > >> *could*
> > > > > > > > > >>> as well be applied to Cordova apps that load remote
> > content
> > > > > > > > considered
> > > > > > > > > as
> > > > > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> > > > concern
> > > > > > per
> > > > > > > > se,
> > > > > > > > > >> but
> > > > > > > > > >>> also an imposed limitation on the stores (which were
> > > > obviously
> > > > > > > > created
> > > > > > > > > >> for
> > > > > > > > > >>> security concerns in the first place).
> > > > > > > > > >>>
> > > > > > > > > >>> Not even mentioning the issues with providing the right
> > > > > > cordova.js
> > > > > > > > > >> version
> > > > > > > > > >>> from the remote server not really knowing where the
> > request
> > > > > came
> > > > > > > > from.
> > > > > > > > > >>> However, it's good to note too that aside Phonegap
> > > Developer
> > > > > App,
> > > > > > > > there
> > > > > > > > > >> is
> > > > > > > > > >>> also Adobe Hydration that does the exact same thing as
> a
> > > side
> > > > > > > service
> > > > > > > > > to
> > > > > > > > > >>> Phonegap Build. I don't know if they've come into any
> of
> > > the
> > > > > > issues
> > > > > > > > > >>> mentioned, and I haven't even heard of it being used in
> > > > > > production.
> > > > > > > > > >>>
> > > > > > > > > >>>
> > > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > > purplecabbage@gmail.com
> > > > > > > >:
> > > > > > > > > >>>
> > > > > > > > > >>>> I agree with all your statements Marcel. I use this
> > > approach
> > > > > > > > > frequently
> > > > > > > > > >>> in
> > > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > > >>>> Ultimately App Store policies decide what can and
> cannot
> > > be
> > > > > > done.
> > > > > > > > > >>>>
> > > > > > > > > >>>> Regarding security, there is nothing I can do with a
> > > remote
> > > > > page
> > > > > > > > that
> > > > > > > > > I
> > > > > > > > > >>>> can't already do inside my app. It's an issue of
> trust.
> > > > > > > > > >>>>
> > > > > > > > > >>>>
> > > > > > > > > >>>> Sent from my iPhone
> > > > > > > > > >>>>
> > > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> > shazron@gmail.com>
> > > > > > wrote:
> > > > > > > > > >>>>>
> > > > > > > > > >>>>> I agree that it is not recommended, but it's
> possible.
> > I
> > > > > delved
> > > > > > > > into
> > > > > > > > > >>>>> this question here:
> > > > > > > > > >>>>>
> > https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > > >>>>>
> > > > > > > > > >>>>> The PhoneGap Developer App is an example of how this
> is
> > > > > working
> > > > > > > at
> > > > > > > > > >>>>> http://app.phonegap.com but they do some proxying to
> > get
> > > > > > around
> > > > > > > > the
> > > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > > >>>>>
> > > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > > > cmarcelk@gmail.com>
> > > > > > > > > >>>> wrote:
> > > > > > > > > >>>>>> I've been getting occasional questions about users
> > > trying
> > > > to
> > > > > > use
> > > > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova
> (in
> > > the
> > > > > > > webview,
> > > > > > > > > >> not
> > > > > > > > > >>>> InAppBrowser), and still expecting to have access to
> the
> > > > > plugin
> > > > > > > APIs
> > > > > > > > > >>>> (camera is a popular one). My response so far is:
> "This
> > is
> > > > an
> > > > > > > > > >> unsupported
> > > > > > > > > >>>> configuration, because Cordova was not designed for
> this
> > > and
> > > > > the
> > > > > > > > > >>> community
> > > > > > > > > >>>> does no testing of this configuration. While it can
> work
> > > in
> > > > > some
> > > > > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > > > > >>>>>>
> > > > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > > > incapable,
> > > > > > but
> > > > > > > > that
> > > > > > > > > >>> we
> > > > > > > > > >>>> don't claim that it is supposed to work, and more
> > > > importantly,
> > > > > > we
> > > > > > > > > won't
> > > > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > > > >>>>>>
> > > > > > > > > >>>>>> The main concern I have on this is same origin
> policy,
> > > and
> > > > > > > > matching
> > > > > > > > > >>> the
> > > > > > > > > >>>> remotely-served cordova.js with the locally-installed
> > > native
> > > > > > > Cordova
> > > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > > >>>>>>
> > > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you
> > > > agree?
> > > > > > > > > >>>>>>
> > > > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > > > cordova-docs
> > > > > > > > > >>> somewhere
> > > > > > > > > >>>> that captures this gist?
> > > > > > > > > >>>>>>
> > > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > > >>>
> > > > > > > > > >>>
> > > > > > > > > >>>
> > > > > > > > > >>> --
> > > > > > > > > >>>
> > > > > > > > > >>> *Frederico Galvão*
> > > > > > > > > >>>
> > > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > > >>>
> > > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > > >>>
> > > > > > > > > >>>
> > > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > > >>>
> > > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > > >>
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> > http://www.wizcorp.jp/>
> > > > > > > > ------------------------------
> > > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 |
> > Website
> > > > > > > > <http://www.wizcorp.jp/> | Twitter <
> > https://twitter.com/Wizcorp>
> > > |
> > > > > > > > Facebook
> > > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Carlos Santana
> > > > <cs...@gmail.com>
> > > >
> > >
> > >
> > >
> > > --
> > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > ------------------------------
> > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > Facebook
> > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > <http://www.linkedin.com/company/wizcorp>
> > >
> >
>
>
>
> --
> Carlos Santana
> <cs...@gmail.com>
>
Re: remotely loaded pages
Posted by Carlos Santana <cs...@gmail.com>.
Brain I think that's OK at development time everything is fair game :-)
The problem is developers doing stupid things like loading a cordova.js
from a place they don't know for a in production app being used by end
users, that's just kamikaze
That's OK if they want to shoot themselves in the foot, but then don't come
crying to JIRA claiming that is a problem with Cordova project.
On Thu, Aug 21, 2014 at 1:30 PM, Brian LeRoux <b...@brian.io> wrote:
> phonegap-connect serves up remote cordova.js (negotiates the requestor to
> send the right file)
>
> no deaths yet!
>
>
> https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
>
>
> On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <ao...@wizcorp.jp> wrote:
>
> > That's a good difference to point out.
> >
> > >My personal position is that scenarios where developer is in control and
> > >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > >scenario for Cordova
> >
> > I agree, because as cordova.js and cordovaLib are version linked, it
> makes
> > sense that once an index.html is pulled in, it's cordova.js to load is
> > already in the client application.
> > Loading an external cordova.js would be suicidal. So we save the file
> > locally to write into it's <HEAD> our known path to codova.js
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <cs...@gmail.com>
> > wrote:
> >
> > > I want to make clarification there is a notable difference between
> > loading
> > > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a
> downloaded
> > > webapp to be loaded from a *local* HTML.
> > >
> > > IBM Worklight has a feature "Direct update"
> > >
> > >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> > >
> > > The scenario is a download and local load of html/cordova. Similar
> > scenario
> > > as spellcaster and appmobi
> > > For this scenario there is control from app developer of the code being
> > > loaded.
> > >
> > > What Marcel is asking is a *non-local* load of arbitrary html/code not
> > > control by developer, developer loading a free html page own someone
> else
> > > and doing kind of a "document.location.replace('
> > > http://somerandom.com/thisotherguy.html')"
> > >
> > > My personal position is that scenarios where developer is in control
> and
> > > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > > scenario for Cordova. loading a random cordova.js directly from a
> > non-local
> > > random place not guarantee to be supported.
> > >
> > >
> > >
> > >
> > > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
> > >
> > > > Very much so. So much so, I think we should even consider such
> > > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <agrieve@chromium.org
> >
> > > > wrote:
> > > >
> > > > > I think this is a very desired plugin that many end up re-writing,
> > and
> > > > it's
> > > > > far better than setting the content src directly to a remote URL.
> > > > >
> > > > > E.g. just stumbled across this yesterday:
> > > > > http://docs.appmobi.com/index.php/live-update/
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mmocny@chromium.org
> >
> > > > wrote:
> > > > >
> > > > > > Make it available Ally, of course that sounds interesting!
> > > > > >
> > > > > > I'm sure a few of us have suggestions for improvements too.
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <
> aogilvie@wizcorp.jp
> > >
> > > > > wrote:
> > > > > >
> > > > > > > Marcel, Sorry for the late reply.
> > > > > > >
> > > > > > > For some games that I produce where the entire game is served
> to
> > > the
> > > > > > client
> > > > > > > (requires no .html in the application) we have a tool called
> > > > > > "spellcaster".
> > > > > > > Spellcaster handles internet connectivity, localisation and
> > Cordova
> > > > > code
> > > > > > > injection. It works as follows:
> > > > > > >
> > > > > > > One simply adds an application URL to Cordova's config.xml in
> > > > <content
> > > > > > > src=YOUR_URL_HERE>
> > > > > > >
> > > > > > > - Spellcaster will check for an active internet connection. If
> > one
> > > is
> > > > > not
> > > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > > - Spellcaster downloads the content of the provided application
> > URL
> > > > and
> > > > > > > stores to application cache (overriding any existing loader).
> > > > > > > - Spellcaster injects Cordova script tags just after the <head>
> > > tag.
> > > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > > >
> > > > > > > *loader is your html to load.
> > > > > > >
> > > > > > > Are people still in need of such a solution? I could have this
> > code
> > > > > made
> > > > > > > public it just needs a public sanitise check. Spellcaster
> > supports
> > > > iOS
> > > > > > and
> > > > > > > Android.
> > > > > > > For iOS it requires 1 line of code to be added to
> > > > > > > didFinishLaunchingWithOptions.
> > > > > > > For Android it requires these overrides in onCreate:
> > > > > > >
> > > > > > > @Override
> > > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > > super.onCreate(savedInstanceState);
> > > > > > > super.init();
> > > > > > >
> > > > > > > @Override
> > > > > > > public void init() {
> > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > > ...
> > > > > > >
> > > > > > > @Override
> > > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > > > org.apache.cordova.CordovaWebViewClient
> > webViewClient,
> > > > > > > org.apache.cordova.CordovaChromeClient
> > > webChromeClient)
> > > > {
> > > > > > > super.init(webView, webViewClient, webChromeClient);
> > > > > > >
> > > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > > ...
> > > > > > >
> > > > > > >
> > > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > > purplecabbage@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > It is great design for development, and netflix.
> > > > > > > >
> > > > > > > > Sent from my iPhone
> > > > > > > >
> > > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> > mhweiner234@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > It's technically possible, and even (arguably) legal
> > according
> > > to
> > > > > > > Apple's
> > > > > > > > > documentation, depending on the nature of the code and how
> > it's
> > > > > > > > implemented:
> > > > > > > > >
> > > > > > > > > 3.3.2 An Application may not download or install executable
> > > code.
> > > > > > > > > Interpreted code may only be used in an Application if all
> > > > scripts,
> > > > > > > code
> > > > > > > > > and interpreters are packaged in the Application and not
> > > > > downloaded.
> > > > > > > The
> > > > > > > > > only exception to the foregoing is scripts and code
> > downloaded
> > > > and
> > > > > > run
> > > > > > > by
> > > > > > > > > Apple's built-in WebKit framework, provided that such
> scripts
> > > and
> > > > > > code
> > > > > > > do
> > > > > > > > > not change the primary purpose of the Application by
> > providing
> > > > > > features
> > > > > > > > or
> > > > > > > > > functionality that are inconsistent with the intended and
> > > > > advertised
> > > > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > > > >
> > > > > > > > > However, I would only do so if the code is coming from a
> > server
> > > > > that
> > > > > > > you
> > > > > > > > > control, and if you are able to control what code is
> getting
> > > > > > executed.
> > > > > > > > > Loading in 3rd party, unverified scripts into your Cordova
> > view
> > > > is
> > > > > a
> > > > > > > big
> > > > > > > > > "no-no" for security reasons, and could get your app
> delisted
> > > (or
> > > > > > > > rejected).
> > > > > > > > >
> > > > > > > > > If anyone else has more information on the topic, I'd be
> > > > interested
> > > > > > in
> > > > > > > > > hearing it.
> > > > > > > > >
> > > > > > > > > Marc
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > > sosah.victor@gmail.com
> > > > > > >
> > > > > > > > wrote:
> > > > > > > > >>
> > > > > > > > >> Hi Frederico.
> > > > > > > > >>
> > > > > > > > >> While what you are saying about the policies stores is
> true,
> > > > this
> > > > > > > > applies
> > > > > > > > >> to public stores only (as far as I can tell). For
> on-premise
> > > app
> > > > > > > stores
> > > > > > > > >> this might be false because each store owner need to set
> and
> > > > apply
> > > > > > the
> > > > > > > > >> governance for the apps. It could end on horrible results
> > due
> > > > to a
> > > > > > bad
> > > > > > > > >> implementation.
> > > > > > > > >>
> > > > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > > >> wrote:
> > > > > > > > >>
> > > > > > > > >>> I don't have the details in hand at the moment, but I
> > > remember
> > > > > > seeing
> > > > > > > > in
> > > > > > > > >>> more than one application store last year policies being
> > > > changed
> > > > > to
> > > > > > > > >>> disallow remote code to run in an application on-demand.
> > Such
> > > > > rules
> > > > > > > > >> *could*
> > > > > > > > >>> as well be applied to Cordova apps that load remote
> content
> > > > > > > considered
> > > > > > > > as
> > > > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> > > concern
> > > > > per
> > > > > > > se,
> > > > > > > > >> but
> > > > > > > > >>> also an imposed limitation on the stores (which were
> > > obviously
> > > > > > > created
> > > > > > > > >> for
> > > > > > > > >>> security concerns in the first place).
> > > > > > > > >>>
> > > > > > > > >>> Not even mentioning the issues with providing the right
> > > > > cordova.js
> > > > > > > > >> version
> > > > > > > > >>> from the remote server not really knowing where the
> request
> > > > came
> > > > > > > from.
> > > > > > > > >>> However, it's good to note too that aside Phonegap
> > Developer
> > > > App,
> > > > > > > there
> > > > > > > > >> is
> > > > > > > > >>> also Adobe Hydration that does the exact same thing as a
> > side
> > > > > > service
> > > > > > > > to
> > > > > > > > >>> Phonegap Build. I don't know if they've come into any of
> > the
> > > > > issues
> > > > > > > > >>> mentioned, and I haven't even heard of it being used in
> > > > > production.
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > > purplecabbage@gmail.com
> > > > > > >:
> > > > > > > > >>>
> > > > > > > > >>>> I agree with all your statements Marcel. I use this
> > approach
> > > > > > > > frequently
> > > > > > > > >>> in
> > > > > > > > >>>> dev for fast turnaround.
> > > > > > > > >>>> Ultimately App Store policies decide what can and cannot
> > be
> > > > > done.
> > > > > > > > >>>>
> > > > > > > > >>>> Regarding security, there is nothing I can do with a
> > remote
> > > > page
> > > > > > > that
> > > > > > > > I
> > > > > > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > > > > > >>>>
> > > > > > > > >>>>
> > > > > > > > >>>> Sent from my iPhone
> > > > > > > > >>>>
> > > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <
> shazron@gmail.com>
> > > > > wrote:
> > > > > > > > >>>>>
> > > > > > > > >>>>> I agree that it is not recommended, but it's possible.
> I
> > > > delved
> > > > > > > into
> > > > > > > > >>>>> this question here:
> > > > > > > > >>>>>
> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > > >>>>>
> > > > > > > > >>>>> The PhoneGap Developer App is an example of how this is
> > > > working
> > > > > > at
> > > > > > > > >>>>> http://app.phonegap.com but they do some proxying to
> get
> > > > > around
> > > > > > > the
> > > > > > > > >>>>> CORS limitations I believe.
> > > > > > > > >>>>>
> > > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > > cmarcelk@gmail.com>
> > > > > > > > >>>> wrote:
> > > > > > > > >>>>>> I've been getting occasional questions about users
> > trying
> > > to
> > > > > use
> > > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in
> > the
> > > > > > webview,
> > > > > > > > >> not
> > > > > > > > >>>> InAppBrowser), and still expecting to have access to the
> > > > plugin
> > > > > > APIs
> > > > > > > > >>>> (camera is a popular one). My response so far is: "This
> is
> > > an
> > > > > > > > >> unsupported
> > > > > > > > >>>> configuration, because Cordova was not designed for this
> > and
> > > > the
> > > > > > > > >>> community
> > > > > > > > >>>> does no testing of this configuration. While it can work
> > in
> > > > some
> > > > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > > incapable,
> > > > > but
> > > > > > > that
> > > > > > > > >>> we
> > > > > > > > >>>> don't claim that it is supposed to work, and more
> > > importantly,
> > > > > we
> > > > > > > > won't
> > > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> The main concern I have on this is same origin policy,
> > and
> > > > > > > matching
> > > > > > > > >>> the
> > > > > > > > >>>> remotely-served cordova.js with the locally-installed
> > native
> > > > > > Cordova
> > > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you
> > > agree?
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > > cordova-docs
> > > > > > > > >>> somewhere
> > > > > > > > >>>> that captures this gist?
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> --
> > > > > > > > >>>
> > > > > > > > >>> *Frederico Galvão*
> > > > > > > > >>>
> > > > > > > > >>> Diretor de Tecnologia
> > > > > > > > >>>
> > > > > > > > >>> PontoGet Inovação Web
> > > > > > > > >>>
> > > > > > > > >>>
> > > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > > >>>
> > > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > > >>
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > > Lead Developer - MobDev. | Wizcorp Inc. <
> http://www.wizcorp.jp/>
> > > > > > > ------------------------------
> > > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 |
> Website
> > > > > > > <http://www.wizcorp.jp/> | Twitter <
> https://twitter.com/Wizcorp>
> > |
> > > > > > > Facebook
> > > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Carlos Santana
> > > <cs...@gmail.com>
> > >
> >
> >
> >
> > --
> > <http://www.wizcorp.jp/>Ally Ogilvie
> > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > ------------------------------
> > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > Facebook
> > <http://www.facebook.com/Wizcorp> | LinkedIn
> > <http://www.linkedin.com/company/wizcorp>
> >
>
--
Carlos Santana
<cs...@gmail.com>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
phonegap-connect serves up remote cordova.js (negotiates the requestor to
send the right file)
no deaths yet!
https://github.com/phonegap/connect-phonegap/blob/master/lib/middleware/cordova/cordova.js#L29
On Wed, Aug 20, 2014 at 8:57 PM, Ally Ogilvie <ao...@wizcorp.jp> wrote:
> That's a good difference to point out.
>
> >My personal position is that scenarios where developer is in control and
> >loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> >scenario for Cordova
>
> I agree, because as cordova.js and cordovaLib are version linked, it makes
> sense that once an index.html is pulled in, it's cordova.js to load is
> already in the client application.
> Loading an external cordova.js would be suicidal. So we save the file
> locally to write into it's <HEAD> our known path to codova.js
>
>
>
>
>
>
>
> On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <cs...@gmail.com>
> wrote:
>
> > I want to make clarification there is a notable difference between
> loading
> > a remotely-loaded *(non-local) *HTML pages with Cordova vs. a downloaded
> > webapp to be loaded from a *local* HTML.
> >
> > IBM Worklight has a feature "Direct update"
> >
> >
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
> >
> > The scenario is a download and local load of html/cordova. Similar
> scenario
> > as spellcaster and appmobi
> > For this scenario there is control from app developer of the code being
> > loaded.
> >
> > What Marcel is asking is a *non-local* load of arbitrary html/code not
> > control by developer, developer loading a free html page own someone else
> > and doing kind of a "document.location.replace('
> > http://somerandom.com/thisotherguy.html')"
> >
> > My personal position is that scenarios where developer is in control and
> > loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> > scenario for Cordova. loading a random cordova.js directly from a
> non-local
> > random place not guarantee to be supported.
> >
> >
> >
> >
> > On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
> >
> > > Very much so. So much so, I think we should even consider such
> > > functionality as 'core'. Could dovetail w/ Serviceworker.
> > >
> > >
> > > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <ag...@chromium.org>
> > > wrote:
> > >
> > > > I think this is a very desired plugin that many end up re-writing,
> and
> > > it's
> > > > far better than setting the content src directly to a remote URL.
> > > >
> > > > E.g. just stumbled across this yesterday:
> > > > http://docs.appmobi.com/index.php/live-update/
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mm...@chromium.org>
> > > wrote:
> > > >
> > > > > Make it available Ally, of course that sounds interesting!
> > > > >
> > > > > I'm sure a few of us have suggestions for improvements too.
> > > > >
> > > > >
> > > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <aogilvie@wizcorp.jp
> >
> > > > wrote:
> > > > >
> > > > > > Marcel, Sorry for the late reply.
> > > > > >
> > > > > > For some games that I produce where the entire game is served to
> > the
> > > > > client
> > > > > > (requires no .html in the application) we have a tool called
> > > > > "spellcaster".
> > > > > > Spellcaster handles internet connectivity, localisation and
> Cordova
> > > > code
> > > > > > injection. It works as follows:
> > > > > >
> > > > > > One simply adds an application URL to Cordova's config.xml in
> > > <content
> > > > > > src=YOUR_URL_HERE>
> > > > > >
> > > > > > - Spellcaster will check for an active internet connection. If
> one
> > is
> > > > not
> > > > > > found Spellcaster will continue retrying at a set interval.
> > > > > > - Spellcaster downloads the content of the provided application
> URL
> > > and
> > > > > > stores to application cache (overriding any existing loader).
> > > > > > - Spellcaster injects Cordova script tags just after the <head>
> > tag.
> > > > > > - Spellcaster loads the new *loader into the WebView
> > > > > >
> > > > > > *loader is your html to load.
> > > > > >
> > > > > > Are people still in need of such a solution? I could have this
> code
> > > > made
> > > > > > public it just needs a public sanitise check. Spellcaster
> supports
> > > iOS
> > > > > and
> > > > > > Android.
> > > > > > For iOS it requires 1 line of code to be added to
> > > > > > didFinishLaunchingWithOptions.
> > > > > > For Android it requires these overrides in onCreate:
> > > > > >
> > > > > > @Override
> > > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > > super.onCreate(savedInstanceState);
> > > > > > super.init();
> > > > > >
> > > > > > @Override
> > > > > > public void init() {
> > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > > ...
> > > > > >
> > > > > > @Override
> > > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > > org.apache.cordova.CordovaWebViewClient
> webViewClient,
> > > > > > org.apache.cordova.CordovaChromeClient
> > webChromeClient)
> > > {
> > > > > > super.init(webView, webViewClient, webChromeClient);
> > > > > >
> > > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > > ...
> > > > > >
> > > > > >
> > > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > > purplecabbage@gmail.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > It is great design for development, and netflix.
> > > > > > >
> > > > > > > Sent from my iPhone
> > > > > > >
> > > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <
> mhweiner234@gmail.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > > It's technically possible, and even (arguably) legal
> according
> > to
> > > > > > Apple's
> > > > > > > > documentation, depending on the nature of the code and how
> it's
> > > > > > > implemented:
> > > > > > > >
> > > > > > > > 3.3.2 An Application may not download or install executable
> > code.
> > > > > > > > Interpreted code may only be used in an Application if all
> > > scripts,
> > > > > > code
> > > > > > > > and interpreters are packaged in the Application and not
> > > > downloaded.
> > > > > > The
> > > > > > > > only exception to the foregoing is scripts and code
> downloaded
> > > and
> > > > > run
> > > > > > by
> > > > > > > > Apple's built-in WebKit framework, provided that such scripts
> > and
> > > > > code
> > > > > > do
> > > > > > > > not change the primary purpose of the Application by
> providing
> > > > > features
> > > > > > > or
> > > > > > > > functionality that are inconsistent with the intended and
> > > > advertised
> > > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > > >
> > > > > > > > However, I would only do so if the code is coming from a
> server
> > > > that
> > > > > > you
> > > > > > > > control, and if you are able to control what code is getting
> > > > > executed.
> > > > > > > > Loading in 3rd party, unverified scripts into your Cordova
> view
> > > is
> > > > a
> > > > > > big
> > > > > > > > "no-no" for security reasons, and could get your app delisted
> > (or
> > > > > > > rejected).
> > > > > > > >
> > > > > > > > If anyone else has more information on the topic, I'd be
> > > interested
> > > > > in
> > > > > > > > hearing it.
> > > > > > > >
> > > > > > > > Marc
> > > > > > > >
> > > > > > > >
> > > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > > sosah.victor@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > > >>
> > > > > > > >> Hi Frederico.
> > > > > > > >>
> > > > > > > >> While what you are saying about the policies stores is true,
> > > this
> > > > > > > applies
> > > > > > > >> to public stores only (as far as I can tell). For on-premise
> > app
> > > > > > stores
> > > > > > > >> this might be false because each store owner need to set and
> > > apply
> > > > > the
> > > > > > > >> governance for the apps. It could end on horrible results
> due
> > > to a
> > > > > bad
> > > > > > > >> implementation.
> > > > > > > >>
> > > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >>> I don't have the details in hand at the moment, but I
> > remember
> > > > > seeing
> > > > > > > in
> > > > > > > >>> more than one application store last year policies being
> > > changed
> > > > to
> > > > > > > >>> disallow remote code to run in an application on-demand.
> Such
> > > > rules
> > > > > > > >> *could*
> > > > > > > >>> as well be applied to Cordova apps that load remote content
> > > > > > considered
> > > > > > > as
> > > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> > concern
> > > > per
> > > > > > se,
> > > > > > > >> but
> > > > > > > >>> also an imposed limitation on the stores (which were
> > obviously
> > > > > > created
> > > > > > > >> for
> > > > > > > >>> security concerns in the first place).
> > > > > > > >>>
> > > > > > > >>> Not even mentioning the issues with providing the right
> > > > cordova.js
> > > > > > > >> version
> > > > > > > >>> from the remote server not really knowing where the request
> > > came
> > > > > > from.
> > > > > > > >>> However, it's good to note too that aside Phonegap
> Developer
> > > App,
> > > > > > there
> > > > > > > >> is
> > > > > > > >>> also Adobe Hydration that does the exact same thing as a
> side
> > > > > service
> > > > > > > to
> > > > > > > >>> Phonegap Build. I don't know if they've come into any of
> the
> > > > issues
> > > > > > > >>> mentioned, and I haven't even heard of it being used in
> > > > production.
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > > purplecabbage@gmail.com
> > > > > >:
> > > > > > > >>>
> > > > > > > >>>> I agree with all your statements Marcel. I use this
> approach
> > > > > > > frequently
> > > > > > > >>> in
> > > > > > > >>>> dev for fast turnaround.
> > > > > > > >>>> Ultimately App Store policies decide what can and cannot
> be
> > > > done.
> > > > > > > >>>>
> > > > > > > >>>> Regarding security, there is nothing I can do with a
> remote
> > > page
> > > > > > that
> > > > > > > I
> > > > > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> Sent from my iPhone
> > > > > > > >>>>
> > > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com>
> > > > wrote:
> > > > > > > >>>>>
> > > > > > > >>>>> I agree that it is not recommended, but it's possible. I
> > > delved
> > > > > > into
> > > > > > > >>>>> this question here:
> > > > > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > > >>>>>
> > > > > > > >>>>> The PhoneGap Developer App is an example of how this is
> > > working
> > > > > at
> > > > > > > >>>>> http://app.phonegap.com but they do some proxying to get
> > > > around
> > > > > > the
> > > > > > > >>>>> CORS limitations I believe.
> > > > > > > >>>>>
> > > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > > cmarcelk@gmail.com>
> > > > > > > >>>> wrote:
> > > > > > > >>>>>> I've been getting occasional questions about users
> trying
> > to
> > > > use
> > > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in
> the
> > > > > webview,
> > > > > > > >> not
> > > > > > > >>>> InAppBrowser), and still expecting to have access to the
> > > plugin
> > > > > APIs
> > > > > > > >>>> (camera is a popular one). My response so far is: "This is
> > an
> > > > > > > >> unsupported
> > > > > > > >>>> configuration, because Cordova was not designed for this
> and
> > > the
> > > > > > > >>> community
> > > > > > > >>>> does no testing of this configuration. While it can work
> in
> > > some
> > > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > > >>>>>>
> > > > > > > >>>>>> My definition of "unsupported" is not that it is
> > incapable,
> > > > but
> > > > > > that
> > > > > > > >>> we
> > > > > > > >>>> don't claim that it is supposed to work, and more
> > importantly,
> > > > we
> > > > > > > won't
> > > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > > >>>>>>
> > > > > > > >>>>>> The main concern I have on this is same origin policy,
> and
> > > > > > matching
> > > > > > > >>> the
> > > > > > > >>>> remotely-served cordova.js with the locally-installed
> native
> > > > > Cordova
> > > > > > > >>>> platform to avoid version mismatch.
> > > > > > > >>>>>>
> > > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you
> > agree?
> > > > > > > >>>>>>
> > > > > > > >>>>>> If you agree, what would you think of a blurb in
> > > cordova-docs
> > > > > > > >>> somewhere
> > > > > > > >>>> that captures this gist?
> > > > > > > >>>>>>
> > > > > > > >>>>>> Thanks for your feedback!
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> --
> > > > > > > >>>
> > > > > > > >>> *Frederico Galvão*
> > > > > > > >>>
> > > > > > > >>> Diretor de Tecnologia
> > > > > > > >>>
> > > > > > > >>> PontoGet Inovação Web
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> ( +55(62) 8131-5720
> > > > > > > >>>
> > > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > > >>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > > ------------------------------
> > > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp>
> |
> > > > > > Facebook
> > > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > > <http://www.linkedin.com/company/wizcorp>
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Carlos Santana
> > <cs...@gmail.com>
> >
>
>
>
> --
> <http://www.wizcorp.jp/>Ally Ogilvie
> Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> ------------------------------
> TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> Facebook
> <http://www.facebook.com/Wizcorp> | LinkedIn
> <http://www.linkedin.com/company/wizcorp>
>
Re: remotely loaded pages
Posted by Ally Ogilvie <ao...@wizcorp.jp>.
That's a good difference to point out.
>My personal position is that scenarios where developer is in control and
>loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
>scenario for Cordova
I agree, because as cordova.js and cordovaLib are version linked, it makes
sense that once an index.html is pulled in, it's cordova.js to load is
already in the client application.
Loading an external cordova.js would be suicidal. So we save the file
locally to write into it's <HEAD> our known path to codova.js
On Thu, Aug 21, 2014 at 9:37 AM, Carlos Santana <cs...@gmail.com>
wrote:
> I want to make clarification there is a notable difference between loading
> a remotely-loaded *(non-local) *HTML pages with Cordova vs. a downloaded
> webapp to be loaded from a *local* HTML.
>
> IBM Worklight has a feature "Direct update"
>
> http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
>
> The scenario is a download and local load of html/cordova. Similar scenario
> as spellcaster and appmobi
> For this scenario there is control from app developer of the code being
> loaded.
>
> What Marcel is asking is a *non-local* load of arbitrary html/code not
> control by developer, developer loading a free html page own someone else
> and doing kind of a "document.location.replace('
> http://somerandom.com/thisotherguy.html')"
>
> My personal position is that scenarios where developer is in control and
> loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
> scenario for Cordova. loading a random cordova.js directly from a non-local
> random place not guarantee to be supported.
>
>
>
>
> On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
>
> > Very much so. So much so, I think we should even consider such
> > functionality as 'core'. Could dovetail w/ Serviceworker.
> >
> >
> > On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <ag...@chromium.org>
> > wrote:
> >
> > > I think this is a very desired plugin that many end up re-writing, and
> > it's
> > > far better than setting the content src directly to a remote URL.
> > >
> > > E.g. just stumbled across this yesterday:
> > > http://docs.appmobi.com/index.php/live-update/
> > >
> > >
> > > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mm...@chromium.org>
> > wrote:
> > >
> > > > Make it available Ally, of course that sounds interesting!
> > > >
> > > > I'm sure a few of us have suggestions for improvements too.
> > > >
> > > >
> > > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <ao...@wizcorp.jp>
> > > wrote:
> > > >
> > > > > Marcel, Sorry for the late reply.
> > > > >
> > > > > For some games that I produce where the entire game is served to
> the
> > > > client
> > > > > (requires no .html in the application) we have a tool called
> > > > "spellcaster".
> > > > > Spellcaster handles internet connectivity, localisation and Cordova
> > > code
> > > > > injection. It works as follows:
> > > > >
> > > > > One simply adds an application URL to Cordova's config.xml in
> > <content
> > > > > src=YOUR_URL_HERE>
> > > > >
> > > > > - Spellcaster will check for an active internet connection. If one
> is
> > > not
> > > > > found Spellcaster will continue retrying at a set interval.
> > > > > - Spellcaster downloads the content of the provided application URL
> > and
> > > > > stores to application cache (overriding any existing loader).
> > > > > - Spellcaster injects Cordova script tags just after the <head>
> tag.
> > > > > - Spellcaster loads the new *loader into the WebView
> > > > >
> > > > > *loader is your html to load.
> > > > >
> > > > > Are people still in need of such a solution? I could have this code
> > > made
> > > > > public it just needs a public sanitise check. Spellcaster supports
> > iOS
> > > > and
> > > > > Android.
> > > > > For iOS it requires 1 line of code to be added to
> > > > > didFinishLaunchingWithOptions.
> > > > > For Android it requires these overrides in onCreate:
> > > > >
> > > > > @Override
> > > > > public void onCreate(Bundle savedInstanceState) {
> > > > > super.onCreate(savedInstanceState);
> > > > > super.init();
> > > > >
> > > > > @Override
> > > > > public void init() {
> > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > > ...
> > > > >
> > > > > @Override
> > > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > > org.apache.cordova.CordovaWebViewClient webViewClient,
> > > > > org.apache.cordova.CordovaChromeClient
> webChromeClient)
> > {
> > > > > super.init(webView, webViewClient, webChromeClient);
> > > > >
> > > > > Spellcaster spellcaster = new Spellcaster();
> > > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > > ...
> > > > >
> > > > >
> > > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> > purplecabbage@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > It is great design for development, and netflix.
> > > > > >
> > > > > > Sent from my iPhone
> > > > > >
> > > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mhweiner234@gmail.com
> >
> > > > wrote:
> > > > > > >
> > > > > > > It's technically possible, and even (arguably) legal according
> to
> > > > > Apple's
> > > > > > > documentation, depending on the nature of the code and how it's
> > > > > > implemented:
> > > > > > >
> > > > > > > 3.3.2 An Application may not download or install executable
> code.
> > > > > > > Interpreted code may only be used in an Application if all
> > scripts,
> > > > > code
> > > > > > > and interpreters are packaged in the Application and not
> > > downloaded.
> > > > > The
> > > > > > > only exception to the foregoing is scripts and code downloaded
> > and
> > > > run
> > > > > by
> > > > > > > Apple's built-in WebKit framework, provided that such scripts
> and
> > > > code
> > > > > do
> > > > > > > not change the primary purpose of the Application by providing
> > > > features
> > > > > > or
> > > > > > > functionality that are inconsistent with the intended and
> > > advertised
> > > > > > > purpose of the Application as submitted to the App Store.
> > > > > > >
> > > > > > > However, I would only do so if the code is coming from a server
> > > that
> > > > > you
> > > > > > > control, and if you are able to control what code is getting
> > > > executed.
> > > > > > > Loading in 3rd party, unverified scripts into your Cordova view
> > is
> > > a
> > > > > big
> > > > > > > "no-no" for security reasons, and could get your app delisted
> (or
> > > > > > rejected).
> > > > > > >
> > > > > > > If anyone else has more information on the topic, I'd be
> > interested
> > > > in
> > > > > > > hearing it.
> > > > > > >
> > > > > > > Marc
> > > > > > >
> > > > > > >
> > > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > > sosah.victor@gmail.com
> > > > >
> > > > > > wrote:
> > > > > > >>
> > > > > > >> Hi Frederico.
> > > > > > >>
> > > > > > >> While what you are saying about the policies stores is true,
> > this
> > > > > > applies
> > > > > > >> to public stores only (as far as I can tell). For on-premise
> app
> > > > > stores
> > > > > > >> this might be false because each store owner need to set and
> > apply
> > > > the
> > > > > > >> governance for the apps. It could end on horrible results due
> > to a
> > > > bad
> > > > > > >> implementation.
> > > > > > >>
> > > > > > >> I concur with everyone, it is possible but awful design
> > > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > > >> frederico.galvao@pontoget.com.br>
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >>> I don't have the details in hand at the moment, but I
> remember
> > > > seeing
> > > > > > in
> > > > > > >>> more than one application store last year policies being
> > changed
> > > to
> > > > > > >>> disallow remote code to run in an application on-demand. Such
> > > rules
> > > > > > >> *could*
> > > > > > >>> as well be applied to Cordova apps that load remote content
> > > > > considered
> > > > > > as
> > > > > > >>> code (HTML isn't, but JS is). It's not only a security
> concern
> > > per
> > > > > se,
> > > > > > >> but
> > > > > > >>> also an imposed limitation on the stores (which were
> obviously
> > > > > created
> > > > > > >> for
> > > > > > >>> security concerns in the first place).
> > > > > > >>>
> > > > > > >>> Not even mentioning the issues with providing the right
> > > cordova.js
> > > > > > >> version
> > > > > > >>> from the remote server not really knowing where the request
> > came
> > > > > from.
> > > > > > >>> However, it's good to note too that aside Phonegap Developer
> > App,
> > > > > there
> > > > > > >> is
> > > > > > >>> also Adobe Hydration that does the exact same thing as a side
> > > > service
> > > > > > to
> > > > > > >>> Phonegap Build. I don't know if they've come into any of the
> > > issues
> > > > > > >>> mentioned, and I haven't even heard of it being used in
> > > production.
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > > purplecabbage@gmail.com
> > > > >:
> > > > > > >>>
> > > > > > >>>> I agree with all your statements Marcel. I use this approach
> > > > > > frequently
> > > > > > >>> in
> > > > > > >>>> dev for fast turnaround.
> > > > > > >>>> Ultimately App Store policies decide what can and cannot be
> > > done.
> > > > > > >>>>
> > > > > > >>>> Regarding security, there is nothing I can do with a remote
> > page
> > > > > that
> > > > > > I
> > > > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> Sent from my iPhone
> > > > > > >>>>
> > > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com>
> > > wrote:
> > > > > > >>>>>
> > > > > > >>>>> I agree that it is not recommended, but it's possible. I
> > delved
> > > > > into
> > > > > > >>>>> this question here:
> > > > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > > > >>>>>
> > > > > > >>>>> The PhoneGap Developer App is an example of how this is
> > working
> > > > at
> > > > > > >>>>> http://app.phonegap.com but they do some proxying to get
> > > around
> > > > > the
> > > > > > >>>>> CORS limitations I believe.
> > > > > > >>>>>
> > > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > > cmarcelk@gmail.com>
> > > > > > >>>> wrote:
> > > > > > >>>>>> I've been getting occasional questions about users trying
> to
> > > use
> > > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the
> > > > webview,
> > > > > > >> not
> > > > > > >>>> InAppBrowser), and still expecting to have access to the
> > plugin
> > > > APIs
> > > > > > >>>> (camera is a popular one). My response so far is: "This is
> an
> > > > > > >> unsupported
> > > > > > >>>> configuration, because Cordova was not designed for this and
> > the
> > > > > > >>> community
> > > > > > >>>> does no testing of this configuration. While it can work in
> > some
> > > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > > >>>>>>
> > > > > > >>>>>> My definition of "unsupported" is not that it is
> incapable,
> > > but
> > > > > that
> > > > > > >>> we
> > > > > > >>>> don't claim that it is supposed to work, and more
> importantly,
> > > we
> > > > > > won't
> > > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > > >>>>>>
> > > > > > >>>>>> The main concern I have on this is same origin policy, and
> > > > > matching
> > > > > > >>> the
> > > > > > >>>> remotely-served cordova.js with the locally-installed native
> > > > Cordova
> > > > > > >>>> platform to avoid version mismatch.
> > > > > > >>>>>>
> > > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you
> agree?
> > > > > > >>>>>>
> > > > > > >>>>>> If you agree, what would you think of a blurb in
> > cordova-docs
> > > > > > >>> somewhere
> > > > > > >>>> that captures this gist?
> > > > > > >>>>>>
> > > > > > >>>>>> Thanks for your feedback!
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> --
> > > > > > >>>
> > > > > > >>> *Frederico Galvão*
> > > > > > >>>
> > > > > > >>> Diretor de Tecnologia
> > > > > > >>>
> > > > > > >>> PontoGet Inovação Web
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> ( +55(62) 8131-5720
> > > > > > >>>
> > > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > > ------------------------------
> > > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > > > Facebook
> > > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > > <http://www.linkedin.com/company/wizcorp>
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Carlos Santana
> <cs...@gmail.com>
>
--
<http://www.wizcorp.jp/>Ally Ogilvie
Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
------------------------------
TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
<http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> | Facebook
<http://www.facebook.com/Wizcorp> | LinkedIn
<http://www.linkedin.com/company/wizcorp>
Re: remotely loaded pages
Posted by Carlos Santana <cs...@gmail.com>.
I want to make clarification there is a notable difference between loading
a remotely-loaded *(non-local) *HTML pages with Cordova vs. a downloaded
webapp to be loaded from a *local* HTML.
IBM Worklight has a feature "Direct update"
http://www-01.ibm.com/support/knowledgecenter/api/content/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/admin/c_direct_updates_app_versions_to_mob.html?locale=en
The scenario is a download and local load of html/cordova. Similar scenario
as spellcaster and appmobi
For this scenario there is control from app developer of the code being
loaded.
What Marcel is asking is a *non-local* load of arbitrary html/code not
control by developer, developer loading a free html page own someone else
and doing kind of a "document.location.replace('
http://somerandom.com/thisotherguy.html')"
My personal position is that scenarios where developer is in control and
loaded locally (i.e. directupdate, appmobi, spellcaster) is a valid
scenario for Cordova. loading a random cordova.js directly from a non-local
random place not guarantee to be supported.
On Wed, Aug 20, 2014 at 12:07 PM, Brian LeRoux <b...@brian.io> wrote:
> Very much so. So much so, I think we should even consider such
> functionality as 'core'. Could dovetail w/ Serviceworker.
>
>
> On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <ag...@chromium.org>
> wrote:
>
> > I think this is a very desired plugin that many end up re-writing, and
> it's
> > far better than setting the content src directly to a remote URL.
> >
> > E.g. just stumbled across this yesterday:
> > http://docs.appmobi.com/index.php/live-update/
> >
> >
> > On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mm...@chromium.org>
> wrote:
> >
> > > Make it available Ally, of course that sounds interesting!
> > >
> > > I'm sure a few of us have suggestions for improvements too.
> > >
> > >
> > > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <ao...@wizcorp.jp>
> > wrote:
> > >
> > > > Marcel, Sorry for the late reply.
> > > >
> > > > For some games that I produce where the entire game is served to the
> > > client
> > > > (requires no .html in the application) we have a tool called
> > > "spellcaster".
> > > > Spellcaster handles internet connectivity, localisation and Cordova
> > code
> > > > injection. It works as follows:
> > > >
> > > > One simply adds an application URL to Cordova's config.xml in
> <content
> > > > src=YOUR_URL_HERE>
> > > >
> > > > - Spellcaster will check for an active internet connection. If one is
> > not
> > > > found Spellcaster will continue retrying at a set interval.
> > > > - Spellcaster downloads the content of the provided application URL
> and
> > > > stores to application cache (overriding any existing loader).
> > > > - Spellcaster injects Cordova script tags just after the <head> tag.
> > > > - Spellcaster loads the new *loader into the WebView
> > > >
> > > > *loader is your html to load.
> > > >
> > > > Are people still in need of such a solution? I could have this code
> > made
> > > > public it just needs a public sanitise check. Spellcaster supports
> iOS
> > > and
> > > > Android.
> > > > For iOS it requires 1 line of code to be added to
> > > > didFinishLaunchingWithOptions.
> > > > For Android it requires these overrides in onCreate:
> > > >
> > > > @Override
> > > > public void onCreate(Bundle savedInstanceState) {
> > > > super.onCreate(savedInstanceState);
> > > > super.init();
> > > >
> > > > @Override
> > > > public void init() {
> > > > Spellcaster spellcaster = new Spellcaster();
> > > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > > ...
> > > >
> > > > @Override
> > > > public void init(org.apache.cordova.CordovaWebView webView,
> > > > org.apache.cordova.CordovaWebViewClient webViewClient,
> > > > org.apache.cordova.CordovaChromeClient webChromeClient)
> {
> > > > super.init(webView, webViewClient, webChromeClient);
> > > >
> > > > Spellcaster spellcaster = new Spellcaster();
> > > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > > ...
> > > >
> > > >
> > > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <
> purplecabbage@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > It is great design for development, and netflix.
> > > > >
> > > > > Sent from my iPhone
> > > > >
> > > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > It's technically possible, and even (arguably) legal according to
> > > > Apple's
> > > > > > documentation, depending on the nature of the code and how it's
> > > > > implemented:
> > > > > >
> > > > > > 3.3.2 An Application may not download or install executable code.
> > > > > > Interpreted code may only be used in an Application if all
> scripts,
> > > > code
> > > > > > and interpreters are packaged in the Application and not
> > downloaded.
> > > > The
> > > > > > only exception to the foregoing is scripts and code downloaded
> and
> > > run
> > > > by
> > > > > > Apple's built-in WebKit framework, provided that such scripts and
> > > code
> > > > do
> > > > > > not change the primary purpose of the Application by providing
> > > features
> > > > > or
> > > > > > functionality that are inconsistent with the intended and
> > advertised
> > > > > > purpose of the Application as submitted to the App Store.
> > > > > >
> > > > > > However, I would only do so if the code is coming from a server
> > that
> > > > you
> > > > > > control, and if you are able to control what code is getting
> > > executed.
> > > > > > Loading in 3rd party, unverified scripts into your Cordova view
> is
> > a
> > > > big
> > > > > > "no-no" for security reasons, and could get your app delisted (or
> > > > > rejected).
> > > > > >
> > > > > > If anyone else has more information on the topic, I'd be
> interested
> > > in
> > > > > > hearing it.
> > > > > >
> > > > > > Marc
> > > > > >
> > > > > >
> > > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> > sosah.victor@gmail.com
> > > >
> > > > > wrote:
> > > > > >>
> > > > > >> Hi Frederico.
> > > > > >>
> > > > > >> While what you are saying about the policies stores is true,
> this
> > > > > applies
> > > > > >> to public stores only (as far as I can tell). For on-premise app
> > > > stores
> > > > > >> this might be false because each store owner need to set and
> apply
> > > the
> > > > > >> governance for the apps. It could end on horrible results due
> to a
> > > bad
> > > > > >> implementation.
> > > > > >>
> > > > > >> I concur with everyone, it is possible but awful design
> > > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > > >> frederico.galvao@pontoget.com.br>
> > > > > >> wrote:
> > > > > >>
> > > > > >>> I don't have the details in hand at the moment, but I remember
> > > seeing
> > > > > in
> > > > > >>> more than one application store last year policies being
> changed
> > to
> > > > > >>> disallow remote code to run in an application on-demand. Such
> > rules
> > > > > >> *could*
> > > > > >>> as well be applied to Cordova apps that load remote content
> > > > considered
> > > > > as
> > > > > >>> code (HTML isn't, but JS is). It's not only a security concern
> > per
> > > > se,
> > > > > >> but
> > > > > >>> also an imposed limitation on the stores (which were obviously
> > > > created
> > > > > >> for
> > > > > >>> security concerns in the first place).
> > > > > >>>
> > > > > >>> Not even mentioning the issues with providing the right
> > cordova.js
> > > > > >> version
> > > > > >>> from the remote server not really knowing where the request
> came
> > > > from.
> > > > > >>> However, it's good to note too that aside Phonegap Developer
> App,
> > > > there
> > > > > >> is
> > > > > >>> also Adobe Hydration that does the exact same thing as a side
> > > service
> > > > > to
> > > > > >>> Phonegap Build. I don't know if they've come into any of the
> > issues
> > > > > >>> mentioned, and I haven't even heard of it being used in
> > production.
> > > > > >>>
> > > > > >>>
> > > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> > purplecabbage@gmail.com
> > > >:
> > > > > >>>
> > > > > >>>> I agree with all your statements Marcel. I use this approach
> > > > > frequently
> > > > > >>> in
> > > > > >>>> dev for fast turnaround.
> > > > > >>>> Ultimately App Store policies decide what can and cannot be
> > done.
> > > > > >>>>
> > > > > >>>> Regarding security, there is nothing I can do with a remote
> page
> > > > that
> > > > > I
> > > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > > >>>>
> > > > > >>>>
> > > > > >>>> Sent from my iPhone
> > > > > >>>>
> > > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com>
> > wrote:
> > > > > >>>>>
> > > > > >>>>> I agree that it is not recommended, but it's possible. I
> delved
> > > > into
> > > > > >>>>> this question here:
> > > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > > >>>>>
> > > > > >>>>> The PhoneGap Developer App is an example of how this is
> working
> > > at
> > > > > >>>>> http://app.phonegap.com but they do some proxying to get
> > around
> > > > the
> > > > > >>>>> CORS limitations I believe.
> > > > > >>>>>
> > > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > > cmarcelk@gmail.com>
> > > > > >>>> wrote:
> > > > > >>>>>> I've been getting occasional questions about users trying to
> > use
> > > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the
> > > webview,
> > > > > >> not
> > > > > >>>> InAppBrowser), and still expecting to have access to the
> plugin
> > > APIs
> > > > > >>>> (camera is a popular one). My response so far is: "This is an
> > > > > >> unsupported
> > > > > >>>> configuration, because Cordova was not designed for this and
> the
> > > > > >>> community
> > > > > >>>> does no testing of this configuration. While it can work in
> some
> > > > > >>>> circumstances, it is not recommended nor supported."
> > > > > >>>>>>
> > > > > >>>>>> My definition of "unsupported" is not that it is incapable,
> > but
> > > > that
> > > > > >>> we
> > > > > >>>> don't claim that it is supposed to work, and more importantly,
> > we
> > > > > won't
> > > > > >>>> actively fix user-submitted defects on this topic.
> > > > > >>>>>>
> > > > > >>>>>> The main concern I have on this is same origin policy, and
> > > > matching
> > > > > >>> the
> > > > > >>>> remotely-served cordova.js with the locally-installed native
> > > Cordova
> > > > > >>>> platform to avoid version mismatch.
> > > > > >>>>>>
> > > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
> > > > > >>>>>>
> > > > > >>>>>> If you agree, what would you think of a blurb in
> cordova-docs
> > > > > >>> somewhere
> > > > > >>>> that captures this gist?
> > > > > >>>>>>
> > > > > >>>>>> Thanks for your feedback!
> > > > > >>>
> > > > > >>>
> > > > > >>>
> > > > > >>> --
> > > > > >>>
> > > > > >>> *Frederico Galvão*
> > > > > >>>
> > > > > >>> Diretor de Tecnologia
> > > > > >>>
> > > > > >>> PontoGet Inovação Web
> > > > > >>>
> > > > > >>>
> > > > > >>> ( +55(62) 8131-5720
> > > > > >>>
> > > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > > >>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > > ------------------------------
> > > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > > Facebook
> > > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > > <http://www.linkedin.com/company/wizcorp>
> > > >
> > >
> >
>
--
Carlos Santana
<cs...@gmail.com>
Re: remotely loaded pages
Posted by Brian LeRoux <b...@brian.io>.
Very much so. So much so, I think we should even consider such
functionality as 'core'. Could dovetail w/ Serviceworker.
On Wed, Aug 20, 2014 at 7:26 AM, Andrew Grieve <ag...@chromium.org> wrote:
> I think this is a very desired plugin that many end up re-writing, and it's
> far better than setting the content src directly to a remote URL.
>
> E.g. just stumbled across this yesterday:
> http://docs.appmobi.com/index.php/live-update/
>
>
> On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mm...@chromium.org> wrote:
>
> > Make it available Ally, of course that sounds interesting!
> >
> > I'm sure a few of us have suggestions for improvements too.
> >
> >
> > On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <ao...@wizcorp.jp>
> wrote:
> >
> > > Marcel, Sorry for the late reply.
> > >
> > > For some games that I produce where the entire game is served to the
> > client
> > > (requires no .html in the application) we have a tool called
> > "spellcaster".
> > > Spellcaster handles internet connectivity, localisation and Cordova
> code
> > > injection. It works as follows:
> > >
> > > One simply adds an application URL to Cordova's config.xml in <content
> > > src=YOUR_URL_HERE>
> > >
> > > - Spellcaster will check for an active internet connection. If one is
> not
> > > found Spellcaster will continue retrying at a set interval.
> > > - Spellcaster downloads the content of the provided application URL and
> > > stores to application cache (overriding any existing loader).
> > > - Spellcaster injects Cordova script tags just after the <head> tag.
> > > - Spellcaster loads the new *loader into the WebView
> > >
> > > *loader is your html to load.
> > >
> > > Are people still in need of such a solution? I could have this code
> made
> > > public it just needs a public sanitise check. Spellcaster supports iOS
> > and
> > > Android.
> > > For iOS it requires 1 line of code to be added to
> > > didFinishLaunchingWithOptions.
> > > For Android it requires these overrides in onCreate:
> > >
> > > @Override
> > > public void onCreate(Bundle savedInstanceState) {
> > > super.onCreate(savedInstanceState);
> > > super.init();
> > >
> > > @Override
> > > public void init() {
> > > Spellcaster spellcaster = new Spellcaster();
> > > spellcaster.init(this, Config.getStartUrl(), appView);
> > > ...
> > >
> > > @Override
> > > public void init(org.apache.cordova.CordovaWebView webView,
> > > org.apache.cordova.CordovaWebViewClient webViewClient,
> > > org.apache.cordova.CordovaChromeClient webChromeClient) {
> > > super.init(webView, webViewClient, webChromeClient);
> > >
> > > Spellcaster spellcaster = new Spellcaster();
> > > spellcaster.init(this, Config.getStartUrl(), webView);
> > > ...
> > >
> > >
> > > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <purplecabbage@gmail.com
> >
> > > wrote:
> > >
> > > > It is great design for development, and netflix.
> > > >
> > > > Sent from my iPhone
> > > >
> > > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com>
> > wrote:
> > > > >
> > > > > It's technically possible, and even (arguably) legal according to
> > > Apple's
> > > > > documentation, depending on the nature of the code and how it's
> > > > implemented:
> > > > >
> > > > > 3.3.2 An Application may not download or install executable code.
> > > > > Interpreted code may only be used in an Application if all scripts,
> > > code
> > > > > and interpreters are packaged in the Application and not
> downloaded.
> > > The
> > > > > only exception to the foregoing is scripts and code downloaded and
> > run
> > > by
> > > > > Apple's built-in WebKit framework, provided that such scripts and
> > code
> > > do
> > > > > not change the primary purpose of the Application by providing
> > features
> > > > or
> > > > > functionality that are inconsistent with the intended and
> advertised
> > > > > purpose of the Application as submitted to the App Store.
> > > > >
> > > > > However, I would only do so if the code is coming from a server
> that
> > > you
> > > > > control, and if you are able to control what code is getting
> > executed.
> > > > > Loading in 3rd party, unverified scripts into your Cordova view is
> a
> > > big
> > > > > "no-no" for security reasons, and could get your app delisted (or
> > > > rejected).
> > > > >
> > > > > If anyone else has more information on the topic, I'd be interested
> > in
> > > > > hearing it.
> > > > >
> > > > > Marc
> > > > >
> > > > >
> > > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <
> sosah.victor@gmail.com
> > >
> > > > wrote:
> > > > >>
> > > > >> Hi Frederico.
> > > > >>
> > > > >> While what you are saying about the policies stores is true, this
> > > > applies
> > > > >> to public stores only (as far as I can tell). For on-premise app
> > > stores
> > > > >> this might be false because each store owner need to set and apply
> > the
> > > > >> governance for the apps. It could end on horrible results due to a
> > bad
> > > > >> implementation.
> > > > >>
> > > > >> I concur with everyone, it is possible but awful design
> > > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > > >> frederico.galvao@pontoget.com.br>
> > > > >> wrote:
> > > > >>
> > > > >>> I don't have the details in hand at the moment, but I remember
> > seeing
> > > > in
> > > > >>> more than one application store last year policies being changed
> to
> > > > >>> disallow remote code to run in an application on-demand. Such
> rules
> > > > >> *could*
> > > > >>> as well be applied to Cordova apps that load remote content
> > > considered
> > > > as
> > > > >>> code (HTML isn't, but JS is). It's not only a security concern
> per
> > > se,
> > > > >> but
> > > > >>> also an imposed limitation on the stores (which were obviously
> > > created
> > > > >> for
> > > > >>> security concerns in the first place).
> > > > >>>
> > > > >>> Not even mentioning the issues with providing the right
> cordova.js
> > > > >> version
> > > > >>> from the remote server not really knowing where the request came
> > > from.
> > > > >>> However, it's good to note too that aside Phonegap Developer App,
> > > there
> > > > >> is
> > > > >>> also Adobe Hydration that does the exact same thing as a side
> > service
> > > > to
> > > > >>> Phonegap Build. I don't know if they've come into any of the
> issues
> > > > >>> mentioned, and I haven't even heard of it being used in
> production.
> > > > >>>
> > > > >>>
> > > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <
> purplecabbage@gmail.com
> > >:
> > > > >>>
> > > > >>>> I agree with all your statements Marcel. I use this approach
> > > > frequently
> > > > >>> in
> > > > >>>> dev for fast turnaround.
> > > > >>>> Ultimately App Store policies decide what can and cannot be
> done.
> > > > >>>>
> > > > >>>> Regarding security, there is nothing I can do with a remote page
> > > that
> > > > I
> > > > >>>> can't already do inside my app. It's an issue of trust.
> > > > >>>>
> > > > >>>>
> > > > >>>> Sent from my iPhone
> > > > >>>>
> > > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com>
> wrote:
> > > > >>>>>
> > > > >>>>> I agree that it is not recommended, but it's possible. I delved
> > > into
> > > > >>>>> this question here:
> > > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > > >>>>>
> > > > >>>>> The PhoneGap Developer App is an example of how this is working
> > at
> > > > >>>>> http://app.phonegap.com but they do some proxying to get
> around
> > > the
> > > > >>>>> CORS limitations I believe.
> > > > >>>>>
> > > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > > cmarcelk@gmail.com>
> > > > >>>> wrote:
> > > > >>>>>> I've been getting occasional questions about users trying to
> use
> > > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the
> > webview,
> > > > >> not
> > > > >>>> InAppBrowser), and still expecting to have access to the plugin
> > APIs
> > > > >>>> (camera is a popular one). My response so far is: "This is an
> > > > >> unsupported
> > > > >>>> configuration, because Cordova was not designed for this and the
> > > > >>> community
> > > > >>>> does no testing of this configuration. While it can work in some
> > > > >>>> circumstances, it is not recommended nor supported."
> > > > >>>>>>
> > > > >>>>>> My definition of "unsupported" is not that it is incapable,
> but
> > > that
> > > > >>> we
> > > > >>>> don't claim that it is supposed to work, and more importantly,
> we
> > > > won't
> > > > >>>> actively fix user-submitted defects on this topic.
> > > > >>>>>>
> > > > >>>>>> The main concern I have on this is same origin policy, and
> > > matching
> > > > >>> the
> > > > >>>> remotely-served cordova.js with the locally-installed native
> > Cordova
> > > > >>>> platform to avoid version mismatch.
> > > > >>>>>>
> > > > >>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
> > > > >>>>>>
> > > > >>>>>> If you agree, what would you think of a blurb in cordova-docs
> > > > >>> somewhere
> > > > >>>> that captures this gist?
> > > > >>>>>>
> > > > >>>>>> Thanks for your feedback!
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> --
> > > > >>>
> > > > >>> *Frederico Galvão*
> > > > >>>
> > > > >>> Diretor de Tecnologia
> > > > >>>
> > > > >>> PontoGet Inovação Web
> > > > >>>
> > > > >>>
> > > > >>> ( +55(62) 8131-5720
> > > > >>>
> > > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > > >>
> > > >
> > >
> > >
> > >
> > > --
> > > <http://www.wizcorp.jp/>Ally Ogilvie
> > > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > > ------------------------------
> > > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > > Facebook
> > > <http://www.facebook.com/Wizcorp> | LinkedIn
> > > <http://www.linkedin.com/company/wizcorp>
> > >
> >
>
Re: remotely loaded pages
Posted by Andrew Grieve <ag...@chromium.org>.
I think this is a very desired plugin that many end up re-writing, and it's
far better than setting the content src directly to a remote URL.
E.g. just stumbled across this yesterday:
http://docs.appmobi.com/index.php/live-update/
On Wed, Aug 20, 2014 at 7:57 AM, Michal Mocny <mm...@chromium.org> wrote:
> Make it available Ally, of course that sounds interesting!
>
> I'm sure a few of us have suggestions for improvements too.
>
>
> On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <ao...@wizcorp.jp> wrote:
>
> > Marcel, Sorry for the late reply.
> >
> > For some games that I produce where the entire game is served to the
> client
> > (requires no .html in the application) we have a tool called
> "spellcaster".
> > Spellcaster handles internet connectivity, localisation and Cordova code
> > injection. It works as follows:
> >
> > One simply adds an application URL to Cordova's config.xml in <content
> > src=YOUR_URL_HERE>
> >
> > - Spellcaster will check for an active internet connection. If one is not
> > found Spellcaster will continue retrying at a set interval.
> > - Spellcaster downloads the content of the provided application URL and
> > stores to application cache (overriding any existing loader).
> > - Spellcaster injects Cordova script tags just after the <head> tag.
> > - Spellcaster loads the new *loader into the WebView
> >
> > *loader is your html to load.
> >
> > Are people still in need of such a solution? I could have this code made
> > public it just needs a public sanitise check. Spellcaster supports iOS
> and
> > Android.
> > For iOS it requires 1 line of code to be added to
> > didFinishLaunchingWithOptions.
> > For Android it requires these overrides in onCreate:
> >
> > @Override
> > public void onCreate(Bundle savedInstanceState) {
> > super.onCreate(savedInstanceState);
> > super.init();
> >
> > @Override
> > public void init() {
> > Spellcaster spellcaster = new Spellcaster();
> > spellcaster.init(this, Config.getStartUrl(), appView);
> > ...
> >
> > @Override
> > public void init(org.apache.cordova.CordovaWebView webView,
> > org.apache.cordova.CordovaWebViewClient webViewClient,
> > org.apache.cordova.CordovaChromeClient webChromeClient) {
> > super.init(webView, webViewClient, webChromeClient);
> >
> > Spellcaster spellcaster = new Spellcaster();
> > spellcaster.init(this, Config.getStartUrl(), webView);
> > ...
> >
> >
> > On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <pu...@gmail.com>
> > wrote:
> >
> > > It is great design for development, and netflix.
> > >
> > > Sent from my iPhone
> > >
> > > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com>
> wrote:
> > > >
> > > > It's technically possible, and even (arguably) legal according to
> > Apple's
> > > > documentation, depending on the nature of the code and how it's
> > > implemented:
> > > >
> > > > 3.3.2 An Application may not download or install executable code.
> > > > Interpreted code may only be used in an Application if all scripts,
> > code
> > > > and interpreters are packaged in the Application and not downloaded.
> > The
> > > > only exception to the foregoing is scripts and code downloaded and
> run
> > by
> > > > Apple's built-in WebKit framework, provided that such scripts and
> code
> > do
> > > > not change the primary purpose of the Application by providing
> features
> > > or
> > > > functionality that are inconsistent with the intended and advertised
> > > > purpose of the Application as submitted to the App Store.
> > > >
> > > > However, I would only do so if the code is coming from a server that
> > you
> > > > control, and if you are able to control what code is getting
> executed.
> > > > Loading in 3rd party, unverified scripts into your Cordova view is a
> > big
> > > > "no-no" for security reasons, and could get your app delisted (or
> > > rejected).
> > > >
> > > > If anyone else has more information on the topic, I'd be interested
> in
> > > > hearing it.
> > > >
> > > > Marc
> > > >
> > > >
> > > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <sosah.victor@gmail.com
> >
> > > wrote:
> > > >>
> > > >> Hi Frederico.
> > > >>
> > > >> While what you are saying about the policies stores is true, this
> > > applies
> > > >> to public stores only (as far as I can tell). For on-premise app
> > stores
> > > >> this might be false because each store owner need to set and apply
> the
> > > >> governance for the apps. It could end on horrible results due to a
> bad
> > > >> implementation.
> > > >>
> > > >> I concur with everyone, it is possible but awful design
> > > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > > >> frederico.galvao@pontoget.com.br>
> > > >> wrote:
> > > >>
> > > >>> I don't have the details in hand at the moment, but I remember
> seeing
> > > in
> > > >>> more than one application store last year policies being changed to
> > > >>> disallow remote code to run in an application on-demand. Such rules
> > > >> *could*
> > > >>> as well be applied to Cordova apps that load remote content
> > considered
> > > as
> > > >>> code (HTML isn't, but JS is). It's not only a security concern per
> > se,
> > > >> but
> > > >>> also an imposed limitation on the stores (which were obviously
> > created
> > > >> for
> > > >>> security concerns in the first place).
> > > >>>
> > > >>> Not even mentioning the issues with providing the right cordova.js
> > > >> version
> > > >>> from the remote server not really knowing where the request came
> > from.
> > > >>> However, it's good to note too that aside Phonegap Developer App,
> > there
> > > >> is
> > > >>> also Adobe Hydration that does the exact same thing as a side
> service
> > > to
> > > >>> Phonegap Build. I don't know if they've come into any of the issues
> > > >>> mentioned, and I haven't even heard of it being used in production.
> > > >>>
> > > >>>
> > > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <purplecabbage@gmail.com
> >:
> > > >>>
> > > >>>> I agree with all your statements Marcel. I use this approach
> > > frequently
> > > >>> in
> > > >>>> dev for fast turnaround.
> > > >>>> Ultimately App Store policies decide what can and cannot be done.
> > > >>>>
> > > >>>> Regarding security, there is nothing I can do with a remote page
> > that
> > > I
> > > >>>> can't already do inside my app. It's an issue of trust.
> > > >>>>
> > > >>>>
> > > >>>> Sent from my iPhone
> > > >>>>
> > > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> > > >>>>>
> > > >>>>> I agree that it is not recommended, but it's possible. I delved
> > into
> > > >>>>> this question here:
> > > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > > >>>>>
> > > >>>>> The PhoneGap Developer App is an example of how this is working
> at
> > > >>>>> http://app.phonegap.com but they do some proxying to get around
> > the
> > > >>>>> CORS limitations I believe.
> > > >>>>>
> > > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> > cmarcelk@gmail.com>
> > > >>>> wrote:
> > > >>>>>> I've been getting occasional questions about users trying to use
> > > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the
> webview,
> > > >> not
> > > >>>> InAppBrowser), and still expecting to have access to the plugin
> APIs
> > > >>>> (camera is a popular one). My response so far is: "This is an
> > > >> unsupported
> > > >>>> configuration, because Cordova was not designed for this and the
> > > >>> community
> > > >>>> does no testing of this configuration. While it can work in some
> > > >>>> circumstances, it is not recommended nor supported."
> > > >>>>>>
> > > >>>>>> My definition of "unsupported" is not that it is incapable, but
> > that
> > > >>> we
> > > >>>> don't claim that it is supposed to work, and more importantly, we
> > > won't
> > > >>>> actively fix user-submitted defects on this topic.
> > > >>>>>>
> > > >>>>>> The main concern I have on this is same origin policy, and
> > matching
> > > >>> the
> > > >>>> remotely-served cordova.js with the locally-installed native
> Cordova
> > > >>>> platform to avoid version mismatch.
> > > >>>>>>
> > > >>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
> > > >>>>>>
> > > >>>>>> If you agree, what would you think of a blurb in cordova-docs
> > > >>> somewhere
> > > >>>> that captures this gist?
> > > >>>>>>
> > > >>>>>> Thanks for your feedback!
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>>
> > > >>> *Frederico Galvão*
> > > >>>
> > > >>> Diretor de Tecnologia
> > > >>>
> > > >>> PontoGet Inovação Web
> > > >>>
> > > >>>
> > > >>> ( +55(62) 8131-5720
> > > >>>
> > > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > > >>
> > >
> >
> >
> >
> > --
> > <http://www.wizcorp.jp/>Ally Ogilvie
> > Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> > ------------------------------
> > TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> > <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> > Facebook
> > <http://www.facebook.com/Wizcorp> | LinkedIn
> > <http://www.linkedin.com/company/wizcorp>
> >
>
Re: remotely loaded pages
Posted by Michal Mocny <mm...@chromium.org>.
Make it available Ally, of course that sounds interesting!
I'm sure a few of us have suggestions for improvements too.
On Wed, Aug 20, 2014 at 2:38 AM, Ally Ogilvie <ao...@wizcorp.jp> wrote:
> Marcel, Sorry for the late reply.
>
> For some games that I produce where the entire game is served to the client
> (requires no .html in the application) we have a tool called "spellcaster".
> Spellcaster handles internet connectivity, localisation and Cordova code
> injection. It works as follows:
>
> One simply adds an application URL to Cordova's config.xml in <content
> src=YOUR_URL_HERE>
>
> - Spellcaster will check for an active internet connection. If one is not
> found Spellcaster will continue retrying at a set interval.
> - Spellcaster downloads the content of the provided application URL and
> stores to application cache (overriding any existing loader).
> - Spellcaster injects Cordova script tags just after the <head> tag.
> - Spellcaster loads the new *loader into the WebView
>
> *loader is your html to load.
>
> Are people still in need of such a solution? I could have this code made
> public it just needs a public sanitise check. Spellcaster supports iOS and
> Android.
> For iOS it requires 1 line of code to be added to
> didFinishLaunchingWithOptions.
> For Android it requires these overrides in onCreate:
>
> @Override
> public void onCreate(Bundle savedInstanceState) {
> super.onCreate(savedInstanceState);
> super.init();
>
> @Override
> public void init() {
> Spellcaster spellcaster = new Spellcaster();
> spellcaster.init(this, Config.getStartUrl(), appView);
> ...
>
> @Override
> public void init(org.apache.cordova.CordovaWebView webView,
> org.apache.cordova.CordovaWebViewClient webViewClient,
> org.apache.cordova.CordovaChromeClient webChromeClient) {
> super.init(webView, webViewClient, webChromeClient);
>
> Spellcaster spellcaster = new Spellcaster();
> spellcaster.init(this, Config.getStartUrl(), webView);
> ...
>
>
> On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <pu...@gmail.com>
> wrote:
>
> > It is great design for development, and netflix.
> >
> > Sent from my iPhone
> >
> > > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com> wrote:
> > >
> > > It's technically possible, and even (arguably) legal according to
> Apple's
> > > documentation, depending on the nature of the code and how it's
> > implemented:
> > >
> > > 3.3.2 An Application may not download or install executable code.
> > > Interpreted code may only be used in an Application if all scripts,
> code
> > > and interpreters are packaged in the Application and not downloaded.
> The
> > > only exception to the foregoing is scripts and code downloaded and run
> by
> > > Apple's built-in WebKit framework, provided that such scripts and code
> do
> > > not change the primary purpose of the Application by providing features
> > or
> > > functionality that are inconsistent with the intended and advertised
> > > purpose of the Application as submitted to the App Store.
> > >
> > > However, I would only do so if the code is coming from a server that
> you
> > > control, and if you are able to control what code is getting executed.
> > > Loading in 3rd party, unverified scripts into your Cordova view is a
> big
> > > "no-no" for security reasons, and could get your app delisted (or
> > rejected).
> > >
> > > If anyone else has more information on the topic, I'd be interested in
> > > hearing it.
> > >
> > > Marc
> > >
> > >
> > >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <so...@gmail.com>
> > wrote:
> > >>
> > >> Hi Frederico.
> > >>
> > >> While what you are saying about the policies stores is true, this
> > applies
> > >> to public stores only (as far as I can tell). For on-premise app
> stores
> > >> this might be false because each store owner need to set and apply the
> > >> governance for the apps. It could end on horrible results due to a bad
> > >> implementation.
> > >>
> > >> I concur with everyone, it is possible but awful design
> > >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> > >> frederico.galvao@pontoget.com.br>
> > >> wrote:
> > >>
> > >>> I don't have the details in hand at the moment, but I remember seeing
> > in
> > >>> more than one application store last year policies being changed to
> > >>> disallow remote code to run in an application on-demand. Such rules
> > >> *could*
> > >>> as well be applied to Cordova apps that load remote content
> considered
> > as
> > >>> code (HTML isn't, but JS is). It's not only a security concern per
> se,
> > >> but
> > >>> also an imposed limitation on the stores (which were obviously
> created
> > >> for
> > >>> security concerns in the first place).
> > >>>
> > >>> Not even mentioning the issues with providing the right cordova.js
> > >> version
> > >>> from the remote server not really knowing where the request came
> from.
> > >>> However, it's good to note too that aside Phonegap Developer App,
> there
> > >> is
> > >>> also Adobe Hydration that does the exact same thing as a side service
> > to
> > >>> Phonegap Build. I don't know if they've come into any of the issues
> > >>> mentioned, and I haven't even heard of it being used in production.
> > >>>
> > >>>
> > >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
> > >>>
> > >>>> I agree with all your statements Marcel. I use this approach
> > frequently
> > >>> in
> > >>>> dev for fast turnaround.
> > >>>> Ultimately App Store policies decide what can and cannot be done.
> > >>>>
> > >>>> Regarding security, there is nothing I can do with a remote page
> that
> > I
> > >>>> can't already do inside my app. It's an issue of trust.
> > >>>>
> > >>>>
> > >>>> Sent from my iPhone
> > >>>>
> > >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> > >>>>>
> > >>>>> I agree that it is not recommended, but it's possible. I delved
> into
> > >>>>> this question here:
> > >>>>> https://github.com/shazron/phonegap-questions/issues/37
> > >>>>>
> > >>>>> The PhoneGap Developer App is an example of how this is working at
> > >>>>> http://app.phonegap.com but they do some proxying to get around
> the
> > >>>>> CORS limitations I believe.
> > >>>>>
> > >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <
> cmarcelk@gmail.com>
> > >>>> wrote:
> > >>>>>> I've been getting occasional questions about users trying to use
> > >>>> remotely-loaded (non-local) HTML pages with Cordova (in the webview,
> > >> not
> > >>>> InAppBrowser), and still expecting to have access to the plugin APIs
> > >>>> (camera is a popular one). My response so far is: "This is an
> > >> unsupported
> > >>>> configuration, because Cordova was not designed for this and the
> > >>> community
> > >>>> does no testing of this configuration. While it can work in some
> > >>>> circumstances, it is not recommended nor supported."
> > >>>>>>
> > >>>>>> My definition of "unsupported" is not that it is incapable, but
> that
> > >>> we
> > >>>> don't claim that it is supposed to work, and more importantly, we
> > won't
> > >>>> actively fix user-submitted defects on this topic.
> > >>>>>>
> > >>>>>> The main concern I have on this is same origin policy, and
> matching
> > >>> the
> > >>>> remotely-served cordova.js with the locally-installed native Cordova
> > >>>> platform to avoid version mismatch.
> > >>>>>>
> > >>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
> > >>>>>>
> > >>>>>> If you agree, what would you think of a blurb in cordova-docs
> > >>> somewhere
> > >>>> that captures this gist?
> > >>>>>>
> > >>>>>> Thanks for your feedback!
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>>
> > >>> *Frederico Galvão*
> > >>>
> > >>> Diretor de Tecnologia
> > >>>
> > >>> PontoGet Inovação Web
> > >>>
> > >>>
> > >>> ( +55(62) 8131-5720
> > >>>
> > >>> * www.pontoget.com.br <http://www.pontoget.com/>
> > >>
> >
>
>
>
> --
> <http://www.wizcorp.jp/>Ally Ogilvie
> Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
> ------------------------------
> TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
> <http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> |
> Facebook
> <http://www.facebook.com/Wizcorp> | LinkedIn
> <http://www.linkedin.com/company/wizcorp>
>
Re: remotely loaded pages
Posted by Ally Ogilvie <ao...@wizcorp.jp>.
Marcel, Sorry for the late reply.
For some games that I produce where the entire game is served to the client
(requires no .html in the application) we have a tool called "spellcaster".
Spellcaster handles internet connectivity, localisation and Cordova code
injection. It works as follows:
One simply adds an application URL to Cordova's config.xml in <content
src=YOUR_URL_HERE>
- Spellcaster will check for an active internet connection. If one is not
found Spellcaster will continue retrying at a set interval.
- Spellcaster downloads the content of the provided application URL and
stores to application cache (overriding any existing loader).
- Spellcaster injects Cordova script tags just after the <head> tag.
- Spellcaster loads the new *loader into the WebView
*loader is your html to load.
Are people still in need of such a solution? I could have this code made
public it just needs a public sanitise check. Spellcaster supports iOS and
Android.
For iOS it requires 1 line of code to be added to
didFinishLaunchingWithOptions.
For Android it requires these overrides in onCreate:
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
super.init();
@Override
public void init() {
Spellcaster spellcaster = new Spellcaster();
spellcaster.init(this, Config.getStartUrl(), appView);
...
@Override
public void init(org.apache.cordova.CordovaWebView webView,
org.apache.cordova.CordovaWebViewClient webViewClient,
org.apache.cordova.CordovaChromeClient webChromeClient) {
super.init(webView, webViewClient, webChromeClient);
Spellcaster spellcaster = new Spellcaster();
spellcaster.init(this, Config.getStartUrl(), webView);
...
On Sat, Aug 2, 2014 at 2:17 PM, purplecabbage <pu...@gmail.com>
wrote:
> It is great design for development, and netflix.
>
> Sent from my iPhone
>
> > On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com> wrote:
> >
> > It's technically possible, and even (arguably) legal according to Apple's
> > documentation, depending on the nature of the code and how it's
> implemented:
> >
> > 3.3.2 An Application may not download or install executable code.
> > Interpreted code may only be used in an Application if all scripts, code
> > and interpreters are packaged in the Application and not downloaded. The
> > only exception to the foregoing is scripts and code downloaded and run by
> > Apple's built-in WebKit framework, provided that such scripts and code do
> > not change the primary purpose of the Application by providing features
> or
> > functionality that are inconsistent with the intended and advertised
> > purpose of the Application as submitted to the App Store.
> >
> > However, I would only do so if the code is coming from a server that you
> > control, and if you are able to control what code is getting executed.
> > Loading in 3rd party, unverified scripts into your Cordova view is a big
> > "no-no" for security reasons, and could get your app delisted (or
> rejected).
> >
> > If anyone else has more information on the topic, I'd be interested in
> > hearing it.
> >
> > Marc
> >
> >
> >> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <so...@gmail.com>
> wrote:
> >>
> >> Hi Frederico.
> >>
> >> While what you are saying about the policies stores is true, this
> applies
> >> to public stores only (as far as I can tell). For on-premise app stores
> >> this might be false because each store owner need to set and apply the
> >> governance for the apps. It could end on horrible results due to a bad
> >> implementation.
> >>
> >> I concur with everyone, it is possible but awful design
> >> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> >> frederico.galvao@pontoget.com.br>
> >> wrote:
> >>
> >>> I don't have the details in hand at the moment, but I remember seeing
> in
> >>> more than one application store last year policies being changed to
> >>> disallow remote code to run in an application on-demand. Such rules
> >> *could*
> >>> as well be applied to Cordova apps that load remote content considered
> as
> >>> code (HTML isn't, but JS is). It's not only a security concern per se,
> >> but
> >>> also an imposed limitation on the stores (which were obviously created
> >> for
> >>> security concerns in the first place).
> >>>
> >>> Not even mentioning the issues with providing the right cordova.js
> >> version
> >>> from the remote server not really knowing where the request came from.
> >>> However, it's good to note too that aside Phonegap Developer App, there
> >> is
> >>> also Adobe Hydration that does the exact same thing as a side service
> to
> >>> Phonegap Build. I don't know if they've come into any of the issues
> >>> mentioned, and I haven't even heard of it being used in production.
> >>>
> >>>
> >>> 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
> >>>
> >>>> I agree with all your statements Marcel. I use this approach
> frequently
> >>> in
> >>>> dev for fast turnaround.
> >>>> Ultimately App Store policies decide what can and cannot be done.
> >>>>
> >>>> Regarding security, there is nothing I can do with a remote page that
> I
> >>>> can't already do inside my app. It's an issue of trust.
> >>>>
> >>>>
> >>>> Sent from my iPhone
> >>>>
> >>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> >>>>>
> >>>>> I agree that it is not recommended, but it's possible. I delved into
> >>>>> this question here:
> >>>>> https://github.com/shazron/phonegap-questions/issues/37
> >>>>>
> >>>>> The PhoneGap Developer App is an example of how this is working at
> >>>>> http://app.phonegap.com but they do some proxying to get around the
> >>>>> CORS limitations I believe.
> >>>>>
> >>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
> >>>> wrote:
> >>>>>> I've been getting occasional questions about users trying to use
> >>>> remotely-loaded (non-local) HTML pages with Cordova (in the webview,
> >> not
> >>>> InAppBrowser), and still expecting to have access to the plugin APIs
> >>>> (camera is a popular one). My response so far is: "This is an
> >> unsupported
> >>>> configuration, because Cordova was not designed for this and the
> >>> community
> >>>> does no testing of this configuration. While it can work in some
> >>>> circumstances, it is not recommended nor supported."
> >>>>>>
> >>>>>> My definition of "unsupported" is not that it is incapable, but that
> >>> we
> >>>> don't claim that it is supposed to work, and more importantly, we
> won't
> >>>> actively fix user-submitted defects on this topic.
> >>>>>>
> >>>>>> The main concern I have on this is same origin policy, and matching
> >>> the
> >>>> remotely-served cordova.js with the locally-installed native Cordova
> >>>> platform to avoid version mismatch.
> >>>>>>
> >>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
> >>>>>>
> >>>>>> If you agree, what would you think of a blurb in cordova-docs
> >>> somewhere
> >>>> that captures this gist?
> >>>>>>
> >>>>>> Thanks for your feedback!
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> *Frederico Galvão*
> >>>
> >>> Diretor de Tecnologia
> >>>
> >>> PontoGet Inovação Web
> >>>
> >>>
> >>> ( +55(62) 8131-5720
> >>>
> >>> * www.pontoget.com.br <http://www.pontoget.com/>
> >>
>
--
<http://www.wizcorp.jp/>Ally Ogilvie
Lead Developer - MobDev. | Wizcorp Inc. <http://www.wizcorp.jp/>
------------------------------
TECH . GAMING . OPEN-SOURCE WIZARDS+ 81 (0)3-4550-1448 | Website
<http://www.wizcorp.jp/> | Twitter <https://twitter.com/Wizcorp> | Facebook
<http://www.facebook.com/Wizcorp> | LinkedIn
<http://www.linkedin.com/company/wizcorp>
Re: remotely loaded pages
Posted by purplecabbage <pu...@gmail.com>.
It is great design for development, and netflix.
Sent from my iPhone
> On Aug 1, 2014, at 4:26 PM, Marc Weiner <mh...@gmail.com> wrote:
>
> It's technically possible, and even (arguably) legal according to Apple's
> documentation, depending on the nature of the code and how it's implemented:
>
> 3.3.2 An Application may not download or install executable code.
> Interpreted code may only be used in an Application if all scripts, code
> and interpreters are packaged in the Application and not downloaded. The
> only exception to the foregoing is scripts and code downloaded and run by
> Apple's built-in WebKit framework, provided that such scripts and code do
> not change the primary purpose of the Application by providing features or
> functionality that are inconsistent with the intended and advertised
> purpose of the Application as submitted to the App Store.
>
> However, I would only do so if the code is coming from a server that you
> control, and if you are able to control what code is getting executed.
> Loading in 3rd party, unverified scripts into your Cordova view is a big
> "no-no" for security reasons, and could get your app delisted (or rejected).
>
> If anyone else has more information on the topic, I'd be interested in
> hearing it.
>
> Marc
>
>
>> On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <so...@gmail.com> wrote:
>>
>> Hi Frederico.
>>
>> While what you are saying about the policies stores is true, this applies
>> to public stores only (as far as I can tell). For on-premise app stores
>> this might be false because each store owner need to set and apply the
>> governance for the apps. It could end on horrible results due to a bad
>> implementation.
>>
>> I concur with everyone, it is possible but awful design
>> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
>> frederico.galvao@pontoget.com.br>
>> wrote:
>>
>>> I don't have the details in hand at the moment, but I remember seeing in
>>> more than one application store last year policies being changed to
>>> disallow remote code to run in an application on-demand. Such rules
>> *could*
>>> as well be applied to Cordova apps that load remote content considered as
>>> code (HTML isn't, but JS is). It's not only a security concern per se,
>> but
>>> also an imposed limitation on the stores (which were obviously created
>> for
>>> security concerns in the first place).
>>>
>>> Not even mentioning the issues with providing the right cordova.js
>> version
>>> from the remote server not really knowing where the request came from.
>>> However, it's good to note too that aside Phonegap Developer App, there
>> is
>>> also Adobe Hydration that does the exact same thing as a side service to
>>> Phonegap Build. I don't know if they've come into any of the issues
>>> mentioned, and I haven't even heard of it being used in production.
>>>
>>>
>>> 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
>>>
>>>> I agree with all your statements Marcel. I use this approach frequently
>>> in
>>>> dev for fast turnaround.
>>>> Ultimately App Store policies decide what can and cannot be done.
>>>>
>>>> Regarding security, there is nothing I can do with a remote page that I
>>>> can't already do inside my app. It's an issue of trust.
>>>>
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
>>>>>
>>>>> I agree that it is not recommended, but it's possible. I delved into
>>>>> this question here:
>>>>> https://github.com/shazron/phonegap-questions/issues/37
>>>>>
>>>>> The PhoneGap Developer App is an example of how this is working at
>>>>> http://app.phonegap.com but they do some proxying to get around the
>>>>> CORS limitations I believe.
>>>>>
>>>>>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
>>>> wrote:
>>>>>> I've been getting occasional questions about users trying to use
>>>> remotely-loaded (non-local) HTML pages with Cordova (in the webview,
>> not
>>>> InAppBrowser), and still expecting to have access to the plugin APIs
>>>> (camera is a popular one). My response so far is: "This is an
>> unsupported
>>>> configuration, because Cordova was not designed for this and the
>>> community
>>>> does no testing of this configuration. While it can work in some
>>>> circumstances, it is not recommended nor supported."
>>>>>>
>>>>>> My definition of "unsupported" is not that it is incapable, but that
>>> we
>>>> don't claim that it is supposed to work, and more importantly, we won't
>>>> actively fix user-submitted defects on this topic.
>>>>>>
>>>>>> The main concern I have on this is same origin policy, and matching
>>> the
>>>> remotely-served cordova.js with the locally-installed native Cordova
>>>> platform to avoid version mismatch.
>>>>>>
>>>>>> Do you think I'm out in-the-weeds on this, or do you agree?
>>>>>>
>>>>>> If you agree, what would you think of a blurb in cordova-docs
>>> somewhere
>>>> that captures this gist?
>>>>>>
>>>>>> Thanks for your feedback!
>>>
>>>
>>>
>>> --
>>>
>>> *Frederico Galvão*
>>>
>>> Diretor de Tecnologia
>>>
>>> PontoGet Inovação Web
>>>
>>>
>>> ( +55(62) 8131-5720
>>>
>>> * www.pontoget.com.br <http://www.pontoget.com/>
>>
Re: remotely loaded pages
Posted by Marc Weiner <mh...@gmail.com>.
It's technically possible, and even (arguably) legal according to Apple's
documentation, depending on the nature of the code and how it's implemented:
3.3.2 An Application may not download or install executable code.
Interpreted code may only be used in an Application if all scripts, code
and interpreters are packaged in the Application and not downloaded. The
only exception to the foregoing is scripts and code downloaded and run by
Apple's built-in WebKit framework, provided that such scripts and code do
not change the primary purpose of the Application by providing features or
functionality that are inconsistent with the intended and advertised
purpose of the Application as submitted to the App Store.
However, I would only do so if the code is coming from a server that you
control, and if you are able to control what code is getting executed.
Loading in 3rd party, unverified scripts into your Cordova view is a big
"no-no" for security reasons, and could get your app delisted (or rejected).
If anyone else has more information on the topic, I'd be interested in
hearing it.
Marc
On Fri, Aug 1, 2014 at 7:01 PM, Victor Sosa <so...@gmail.com> wrote:
> Hi Frederico.
>
> While what you are saying about the policies stores is true, this applies
> to public stores only (as far as I can tell). For on-premise app stores
> this might be false because each store owner need to set and apply the
> governance for the apps. It could end on horrible results due to a bad
> implementation.
>
> I concur with everyone, it is possible but awful design
> On Aug 1, 2014 4:35 PM, "Frederico Galvão" <
> frederico.galvao@pontoget.com.br>
> wrote:
>
> > I don't have the details in hand at the moment, but I remember seeing in
> > more than one application store last year policies being changed to
> > disallow remote code to run in an application on-demand. Such rules
> *could*
> > as well be applied to Cordova apps that load remote content considered as
> > code (HTML isn't, but JS is). It's not only a security concern per se,
> but
> > also an imposed limitation on the stores (which were obviously created
> for
> > security concerns in the first place).
> >
> > Not even mentioning the issues with providing the right cordova.js
> version
> > from the remote server not really knowing where the request came from.
> > However, it's good to note too that aside Phonegap Developer App, there
> is
> > also Adobe Hydration that does the exact same thing as a side service to
> > Phonegap Build. I don't know if they've come into any of the issues
> > mentioned, and I haven't even heard of it being used in production.
> >
> >
> > 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
> >
> > > I agree with all your statements Marcel. I use this approach frequently
> > in
> > > dev for fast turnaround.
> > > Ultimately App Store policies decide what can and cannot be done.
> > >
> > > Regarding security, there is nothing I can do with a remote page that I
> > > can't already do inside my app. It's an issue of trust.
> > >
> > >
> > > Sent from my iPhone
> > >
> > > > On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> > > >
> > > > I agree that it is not recommended, but it's possible. I delved into
> > > > this question here:
> > > > https://github.com/shazron/phonegap-questions/issues/37
> > > >
> > > > The PhoneGap Developer App is an example of how this is working at
> > > > http://app.phonegap.com but they do some proxying to get around the
> > > > CORS limitations I believe.
> > > >
> > > >> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
> > > wrote:
> > > >> I've been getting occasional questions about users trying to use
> > > remotely-loaded (non-local) HTML pages with Cordova (in the webview,
> not
> > > InAppBrowser), and still expecting to have access to the plugin APIs
> > > (camera is a popular one). My response so far is: "This is an
> unsupported
> > > configuration, because Cordova was not designed for this and the
> > community
> > > does no testing of this configuration. While it can work in some
> > > circumstances, it is not recommended nor supported."
> > > >>
> > > >> My definition of "unsupported" is not that it is incapable, but that
> > we
> > > don't claim that it is supposed to work, and more importantly, we won't
> > > actively fix user-submitted defects on this topic.
> > > >>
> > > >> The main concern I have on this is same origin policy, and matching
> > the
> > > remotely-served cordova.js with the locally-installed native Cordova
> > > platform to avoid version mismatch.
> > > >>
> > > >> Do you think I'm out in-the-weeds on this, or do you agree?
> > > >>
> > > >> If you agree, what would you think of a blurb in cordova-docs
> > somewhere
> > > that captures this gist?
> > > >>
> > > >> Thanks for your feedback!
> > >
> >
> >
> >
> > --
> >
> > *Frederico Galvão*
> >
> > Diretor de Tecnologia
> >
> > PontoGet Inovação Web
> >
> >
> > ( +55(62) 8131-5720
> >
> > * www.pontoget.com.br <http://www.pontoget.com/>
> >
>
Re: remotely loaded pages
Posted by Victor Sosa <so...@gmail.com>.
Hi Frederico.
While what you are saying about the policies stores is true, this applies
to public stores only (as far as I can tell). For on-premise app stores
this might be false because each store owner need to set and apply the
governance for the apps. It could end on horrible results due to a bad
implementation.
I concur with everyone, it is possible but awful design
On Aug 1, 2014 4:35 PM, "Frederico Galvão" <fr...@pontoget.com.br>
wrote:
> I don't have the details in hand at the moment, but I remember seeing in
> more than one application store last year policies being changed to
> disallow remote code to run in an application on-demand. Such rules *could*
> as well be applied to Cordova apps that load remote content considered as
> code (HTML isn't, but JS is). It's not only a security concern per se, but
> also an imposed limitation on the stores (which were obviously created for
> security concerns in the first place).
>
> Not even mentioning the issues with providing the right cordova.js version
> from the remote server not really knowing where the request came from.
> However, it's good to note too that aside Phonegap Developer App, there is
> also Adobe Hydration that does the exact same thing as a side service to
> Phonegap Build. I don't know if they've come into any of the issues
> mentioned, and I haven't even heard of it being used in production.
>
>
> 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
>
> > I agree with all your statements Marcel. I use this approach frequently
> in
> > dev for fast turnaround.
> > Ultimately App Store policies decide what can and cannot be done.
> >
> > Regarding security, there is nothing I can do with a remote page that I
> > can't already do inside my app. It's an issue of trust.
> >
> >
> > Sent from my iPhone
> >
> > > On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> > >
> > > I agree that it is not recommended, but it's possible. I delved into
> > > this question here:
> > > https://github.com/shazron/phonegap-questions/issues/37
> > >
> > > The PhoneGap Developer App is an example of how this is working at
> > > http://app.phonegap.com but they do some proxying to get around the
> > > CORS limitations I believe.
> > >
> > >> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
> > wrote:
> > >> I've been getting occasional questions about users trying to use
> > remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
> > InAppBrowser), and still expecting to have access to the plugin APIs
> > (camera is a popular one). My response so far is: "This is an unsupported
> > configuration, because Cordova was not designed for this and the
> community
> > does no testing of this configuration. While it can work in some
> > circumstances, it is not recommended nor supported."
> > >>
> > >> My definition of "unsupported" is not that it is incapable, but that
> we
> > don't claim that it is supposed to work, and more importantly, we won't
> > actively fix user-submitted defects on this topic.
> > >>
> > >> The main concern I have on this is same origin policy, and matching
> the
> > remotely-served cordova.js with the locally-installed native Cordova
> > platform to avoid version mismatch.
> > >>
> > >> Do you think I'm out in-the-weeds on this, or do you agree?
> > >>
> > >> If you agree, what would you think of a blurb in cordova-docs
> somewhere
> > that captures this gist?
> > >>
> > >> Thanks for your feedback!
> >
>
>
>
> --
>
> *Frederico Galvão*
>
> Diretor de Tecnologia
>
> PontoGet Inovação Web
>
>
> ( +55(62) 8131-5720
>
> * www.pontoget.com.br <http://www.pontoget.com/>
>
Re: remotely loaded pages
Posted by Shazron <sh...@gmail.com>.
Adobe PhoneGap Build Hydration is different however -- it downloads an
app payload that is run locally (points to the new www folder
contents), and is only meant for dev purposes, not for App Store
release.
On Fri, Aug 1, 2014 at 2:34 PM, Frederico Galvão
<fr...@pontoget.com.br> wrote:
> I don't have the details in hand at the moment, but I remember seeing in
> more than one application store last year policies being changed to
> disallow remote code to run in an application on-demand. Such rules *could*
> as well be applied to Cordova apps that load remote content considered as
> code (HTML isn't, but JS is). It's not only a security concern per se, but
> also an imposed limitation on the stores (which were obviously created for
> security concerns in the first place).
>
> Not even mentioning the issues with providing the right cordova.js version
> from the remote server not really knowing where the request came from.
> However, it's good to note too that aside Phonegap Developer App, there is
> also Adobe Hydration that does the exact same thing as a side service to
> Phonegap Build. I don't know if they've come into any of the issues
> mentioned, and I haven't even heard of it being used in production.
>
>
> 2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
>
>> I agree with all your statements Marcel. I use this approach frequently in
>> dev for fast turnaround.
>> Ultimately App Store policies decide what can and cannot be done.
>>
>> Regarding security, there is nothing I can do with a remote page that I
>> can't already do inside my app. It's an issue of trust.
>>
>>
>> Sent from my iPhone
>>
>> > On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
>> >
>> > I agree that it is not recommended, but it's possible. I delved into
>> > this question here:
>> > https://github.com/shazron/phonegap-questions/issues/37
>> >
>> > The PhoneGap Developer App is an example of how this is working at
>> > http://app.phonegap.com but they do some proxying to get around the
>> > CORS limitations I believe.
>> >
>> >> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
>> wrote:
>> >> I've been getting occasional questions about users trying to use
>> remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
>> InAppBrowser), and still expecting to have access to the plugin APIs
>> (camera is a popular one). My response so far is: "This is an unsupported
>> configuration, because Cordova was not designed for this and the community
>> does no testing of this configuration. While it can work in some
>> circumstances, it is not recommended nor supported."
>> >>
>> >> My definition of "unsupported" is not that it is incapable, but that we
>> don't claim that it is supposed to work, and more importantly, we won't
>> actively fix user-submitted defects on this topic.
>> >>
>> >> The main concern I have on this is same origin policy, and matching the
>> remotely-served cordova.js with the locally-installed native Cordova
>> platform to avoid version mismatch.
>> >>
>> >> Do you think I'm out in-the-weeds on this, or do you agree?
>> >>
>> >> If you agree, what would you think of a blurb in cordova-docs somewhere
>> that captures this gist?
>> >>
>> >> Thanks for your feedback!
>>
>
>
>
> --
>
> *Frederico Galvão*
>
> Diretor de Tecnologia
>
> PontoGet Inovação Web
>
>
> ( +55(62) 8131-5720
>
> * www.pontoget.com.br <http://www.pontoget.com/>
Re: remotely loaded pages
Posted by Frederico Galvão <fr...@pontoget.com.br>.
I don't have the details in hand at the moment, but I remember seeing in
more than one application store last year policies being changed to
disallow remote code to run in an application on-demand. Such rules *could*
as well be applied to Cordova apps that load remote content considered as
code (HTML isn't, but JS is). It's not only a security concern per se, but
also an imposed limitation on the stores (which were obviously created for
security concerns in the first place).
Not even mentioning the issues with providing the right cordova.js version
from the remote server not really knowing where the request came from.
However, it's good to note too that aside Phonegap Developer App, there is
also Adobe Hydration that does the exact same thing as a side service to
Phonegap Build. I don't know if they've come into any of the issues
mentioned, and I haven't even heard of it being used in production.
2014-08-01 17:36 GMT-03:00 purplecabbage <pu...@gmail.com>:
> I agree with all your statements Marcel. I use this approach frequently in
> dev for fast turnaround.
> Ultimately App Store policies decide what can and cannot be done.
>
> Regarding security, there is nothing I can do with a remote page that I
> can't already do inside my app. It's an issue of trust.
>
>
> Sent from my iPhone
>
> > On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
> >
> > I agree that it is not recommended, but it's possible. I delved into
> > this question here:
> > https://github.com/shazron/phonegap-questions/issues/37
> >
> > The PhoneGap Developer App is an example of how this is working at
> > http://app.phonegap.com but they do some proxying to get around the
> > CORS limitations I believe.
> >
> >> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com>
> wrote:
> >> I've been getting occasional questions about users trying to use
> remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
> InAppBrowser), and still expecting to have access to the plugin APIs
> (camera is a popular one). My response so far is: "This is an unsupported
> configuration, because Cordova was not designed for this and the community
> does no testing of this configuration. While it can work in some
> circumstances, it is not recommended nor supported."
> >>
> >> My definition of "unsupported" is not that it is incapable, but that we
> don't claim that it is supposed to work, and more importantly, we won't
> actively fix user-submitted defects on this topic.
> >>
> >> The main concern I have on this is same origin policy, and matching the
> remotely-served cordova.js with the locally-installed native Cordova
> platform to avoid version mismatch.
> >>
> >> Do you think I'm out in-the-weeds on this, or do you agree?
> >>
> >> If you agree, what would you think of a blurb in cordova-docs somewhere
> that captures this gist?
> >>
> >> Thanks for your feedback!
>
--
*Frederico Galvão*
Diretor de Tecnologia
PontoGet Inovação Web
( +55(62) 8131-5720
* www.pontoget.com.br <http://www.pontoget.com/>
Re: remotely loaded pages
Posted by purplecabbage <pu...@gmail.com>.
I agree with all your statements Marcel. I use this approach frequently in dev for fast turnaround.
Ultimately App Store policies decide what can and cannot be done.
Regarding security, there is nothing I can do with a remote page that I can't already do inside my app. It's an issue of trust.
Sent from my iPhone
> On Aug 1, 2014, at 10:35 AM, Shazron <sh...@gmail.com> wrote:
>
> I agree that it is not recommended, but it's possible. I delved into
> this question here:
> https://github.com/shazron/phonegap-questions/issues/37
>
> The PhoneGap Developer App is an example of how this is working at
> http://app.phonegap.com but they do some proxying to get around the
> CORS limitations I believe.
>
>> On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com> wrote:
>> I've been getting occasional questions about users trying to use remotely-loaded (non-local) HTML pages with Cordova (in the webview, not InAppBrowser), and still expecting to have access to the plugin APIs (camera is a popular one). My response so far is: "This is an unsupported configuration, because Cordova was not designed for this and the community does no testing of this configuration. While it can work in some circumstances, it is not recommended nor supported."
>>
>> My definition of "unsupported" is not that it is incapable, but that we don't claim that it is supposed to work, and more importantly, we won't actively fix user-submitted defects on this topic.
>>
>> The main concern I have on this is same origin policy, and matching the remotely-served cordova.js with the locally-installed native Cordova platform to avoid version mismatch.
>>
>> Do you think I'm out in-the-weeds on this, or do you agree?
>>
>> If you agree, what would you think of a blurb in cordova-docs somewhere that captures this gist?
>>
>> Thanks for your feedback!
Re: remotely loaded pages
Posted by Shazron <sh...@gmail.com>.
I agree that it is not recommended, but it's possible. I delved into
this question here:
https://github.com/shazron/phonegap-questions/issues/37
The PhoneGap Developer App is an example of how this is working at
http://app.phonegap.com but they do some proxying to get around the
CORS limitations I believe.
On Fri, Aug 1, 2014 at 10:23 AM, Marcel Kinard <cm...@gmail.com> wrote:
> I've been getting occasional questions about users trying to use remotely-loaded (non-local) HTML pages with Cordova (in the webview, not InAppBrowser), and still expecting to have access to the plugin APIs (camera is a popular one). My response so far is: "This is an unsupported configuration, because Cordova was not designed for this and the community does no testing of this configuration. While it can work in some circumstances, it is not recommended nor supported."
>
> My definition of "unsupported" is not that it is incapable, but that we don't claim that it is supposed to work, and more importantly, we won't actively fix user-submitted defects on this topic.
>
> The main concern I have on this is same origin policy, and matching the remotely-served cordova.js with the locally-installed native Cordova platform to avoid version mismatch.
>
> Do you think I'm out in-the-weeds on this, or do you agree?
>
> If you agree, what would you think of a blurb in cordova-docs somewhere that captures this gist?
>
> Thanks for your feedback!
Re: remotely loaded pages
Posted by Victor Sosa <so...@gmail.com>.
Hello Marcel.
Interesting scenario here. I'm not an expert on this topic, but loading
remote web artifacts that have native access looks very insecure to me.
Whether it is possible? Yeah, maybe... But is it advisable and, more
important, recommended by the Cordova experts community? I'd like to say no
just for the sake of security.
Of course, I might be just talking crazy here and would like to know what
the community thinks about it.
2014-08-01 12:23 GMT-05:00 Marcel Kinard <cm...@gmail.com>:
> I've been getting occasional questions about users trying to use
> remotely-loaded (non-local) HTML pages with Cordova (in the webview, not
> InAppBrowser), and still expecting to have access to the plugin APIs
> (camera is a popular one). My response so far is: "This is an unsupported
> configuration, because Cordova was not designed for this and the community
> does no testing of this configuration. While it can work in some
> circumstances, it is not recommended nor supported."
>
> My definition of "unsupported" is not that it is incapable, but that we
> don't claim that it is supposed to work, and more importantly, we won't
> actively fix user-submitted defects on this topic.
>
> The main concern I have on this is same origin policy, and matching the
> remotely-served cordova.js with the locally-installed native Cordova
> platform to avoid version mismatch.
>
> Do you think I'm out in-the-weeds on this, or do you agree?
>
> If you agree, what would you think of a blurb in cordova-docs somewhere
> that captures this gist?
>
> Thanks for your feedback!
--
Victor Adrian Sosa Herrera
IBM Software Engineer
Guadalajara, Jalisco