You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2022/07/06 12:45:05 UTC

[GitHub] [cordova-plugin-file] ochakov opened a new pull request, #528: Solve CORS issue serving local files

ochakov opened a new pull request, #528:
URL: https://github.com/apache/cordova-plugin-file/pull/528

   When loading the app from remote server, loading fonts from assets will be denied due to the CORS violation.
   This change adds Access-Control-Allow-Origin to the local response to prevent it from failing.
   
   <!--
   Please make sure the checklist boxes are all checked before submitting the PR. The checklist is intended as a quick reference, for complete details please see our Contributor Guidelines:
   
   http://cordova.apache.org/contribute/contribute_guidelines.html
   
   Thanks!
   -->
   
   ### Platforms affected
   Android
   
   ### Motivation and Context
   Fix CORS issue when trying to access local files (e.g. fonts) while serving the application from remote host.
   
   ### Description
   Add Access-Control-Allow-Origin header to the local response.
   
   ### Testing
   Use CSS and create font-face with source in local assets. Load the page from remote host.
   
   ### Checklist
   
   - [X] I've run the tests to see all new and existing tests pass
   - [ ] I added automated test coverage as appropriate for this change
   - [ ] Commit is prefixed with `(platform)` if this change only applies to one platform (e.g. `(android)`)
   - [ ] If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct [keyword to close issues using keywords](https://help.github.com/articles/closing-issues-using-keywords/))
   - [ ] I've updated the documentation if necessary
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-plugin-file] ochakov commented on pull request #528: Solve CORS issue serving local files

Posted by GitBox <gi...@apache.org>.
ochakov commented on PR #528:
URL: https://github.com/apache/cordova-plugin-file/pull/528#issuecomment-1176198189

   > Using a remote host while using cordova plugins is against the terms of use for both Apple's App Store & Google's Play Store
   
   This is absolutely not true. As long as you don't change the primary purpose of the app, you are allowed to serve it from remote server. Our apps are in both Apple and Google stores for years, all served from our servers, without any complaints.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-plugin-file] ochakov commented on pull request #528: Solve CORS issue serving local files

Posted by GitBox <gi...@apache.org>.
ochakov commented on PR #528:
URL: https://github.com/apache/cordova-plugin-file/pull/528#issuecomment-1176236651

   @breautek, I am not a lawyer and cannot argue on that, but there are numerous discussions on the web on this subject and they all conclude that Cordova apps can run remote code by design and there is no way to prevent that. Our apps don't even have www folder inside, as even Cordova plugins JS files are loaded remotely...
   As long as the app is legit, it is a huge power being able to push updates immediately without waiting for users to update their apps in the store.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-plugin-file] breautek commented on pull request #528: Solve CORS issue serving local files

Posted by GitBox <gi...@apache.org>.
breautek commented on PR #528:
URL: https://github.com/apache/cordova-plugin-file/pull/528#issuecomment-1176184518

   > Load the page from remote host.
   
   FYI, Using a remote host while using cordova plugins (or otherwise accessing native device APIs) is against the terms of use for both Apple's App Store & Google's Play Store. Generally speaking, the app's codebase should be bundled inside the app binary. Remote code can be loaded only if can operate in a standard unmodified webview. (e.g. they use standard browser features).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-plugin-file] breautek commented on pull request #528: Solve CORS issue serving local files

Posted by GitBox <gi...@apache.org>.
breautek commented on PR #528:
URL: https://github.com/apache/cordova-plugin-file/pull/528#issuecomment-1176221802

   >This is absolutely not true. As long as you don't change the primary purpose of the app, you are allowed to serve it from remote server. Our apps are in both Apple and Google stores for years, all served from our servers, without any complaints.
   
   Doesn't matter if you are doing it without getting caught. It's important to understand that remotely hosting in itself is not an issue, it's remotely loading in executable code that uses native device APIs. It breaks [Section 4.7.1](https://developer.apple.com/app-store/review/guidelines/#third-party-software) which contains text such as...
   
   > only use capabilities available in a standard WebKit view (e.g. it must open and run natively in Safari without modifications or additional software); and use WebKit and JavaScript Core to run third-party software and should not attempt to extend or expose native platform APIs to third-party software;
   
   For Android, it's not as clear, but I think it definitely breaks their [Device and Network Abuse Policy](https://support.google.com/googleplay/android-developer/answer/9888379)
   
   > ... Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine or an interpreter where either provides indirect access to Android APIs (such as JavaScript in a webview or browser).
   
   The reason why I think it definitely breaks the policy is because the Cordova Webview exposes native device APIs to the javascript. I believe their intent in their exception is that native browser APIs are well sandboxed and cannot add code that calls on more device APIs, which simply isn't the case in the Cordova environment.
   
   And for these reasons, I think from the Apache Cordova standpoint, we have to be careful on features/code that either makes it easy or probable of term breaking. From what I understand, CORS here is not an issue if the app is loaded locally as intended, as the origin will be the same. It's only problematic when you use this plugin from a remote source rather than a local device source.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org