[GitHub] [cordova-android] breautek commented on issue #1458: Android 10 - How can I assign the root path?

[GitBox <gi...@apache.org>]

breautek commented on issue #1458:
URL: https://github.com/apache/cordova-android/issues/1458#issuecomment-1186084421

   Root paths aren't assignable in Android.
   
   If you're using the filesystem strategy (e.g. `<preference name="AndroidInsecureFileModeEnabled" value="true" />`) then the root is `file:///android_assets` which is a special android folder that leads to the running process assets directory. Generally, cordova apps have a `www` folder for their web assets. By default your index.html file will be located at `file:///android_assets/www/index.html`
   
   When using the filesystem strategy, `/` as root path will mean the literal android root folder, which is often unreadable or limited access to non-privileged applications.
   
   If you're using the `WebViewAssetLoader` strategy (e.g.  `<preference name="AndroidInsecureFileModeEnabled" value="false" />`), then the webview uses a system where as far as the webview is concerned, it is loading content from an `http` or `https` resource. By default, cordova is configured to use the domain `https://localhost`, but this is configurable via:
   
   ```xml
   <preference name="scheme" value="https" />    <!-- scheme can only accept "http" or "https" on android -->
   <preference name="hostname" value="localhost" />
   ```
   
   The configured scheme/domain will point to your `www` folder, therefore assuming the default configuration, your `index.html` file will be at `https://localhost/index.html`
   
   >  I'm pretty sure that this solution is useful... but temporary. I'm sure the PlayStore will impose a new restriction shortly and this solution will be in vain.
   
   It's advised against using the `AndroidInescureFileModeEnabled` because [Google](https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)) has deprecated the setting in API 30, stating:
   
   > Don't enable this setting if you open files that may be created or altered by external sources. Enabling this setting allows malicious scripts loaded in a file:// context to launch cross-site scripting attacks, either accessing arbitrary local files including WebView cookies, app private data or even credentials used on arbitrary web sites.
   
   While I agree that this shouldn't be your primary solution, it should be an option for the foreseeable future.
   
   > cordova.file.applicationDirectory
   
   This is a filesystem constant that is the absolute path to your app's Application Directory. If you're using this path while using the `WebViewAssetLoader` system, you will get CORS error because you're requesting a `file://` protocol url over a `https` origin.
   
   Assuming you're using `WebViewAssetLoader`, If you have an image in `<cordova-project>/www/img/image1.jpg` for example, and you have your HTML documented loaded at `<cordova-project>/www/index.html`, then all you need to do is request `"img/image1.jpg"`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org