mgatto opened a new issue, #122: URL: https://github.com/apache/cordova-browser/issues/122
# Feature Request ## Motivation Behind Feature In some development environments, an API is served over SSL via the protocol `https`. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node's `http` module. This is because it is always served without SSL. I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal. ## Feature Description <!-- Describe your feature request in detail Please provide any code examples or screenshots of what this feature would look like Are there any drawbacks? Will this break anything for existing users? --> A new option `--https` would be added to the command `cordova run browser` --> `cordova run browser --https`. The default option is false. When this option is present, the node module `https` will be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user. When this option is not present, the current node module `http` is used. Also, the `projectURL` used in opening a browser window likewise switches based on the `--https` option. A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page. #89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well. ## Alternatives or Workarounds <!-- Describe alternatives or workarounds you are currently using Are there ways to do this with existing functionality? --> Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs. The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
