GitHub user breautek edited a comment on the discussion: How to conditionally
load cordova on remote pages
> However, I am open to alternative ideas, especially if there is a potential
> security concern that might arise unexpectedly if one day some other third
> party script needs to be added, etc long after the apk is deployed.
Yah, I can't really answer on the acceptable risk. Generally speaking if you
have "untrusted" content being loaded in and they have access to the cordova js
APIs, consider your app exploitable. You may say the only third-party content
is google and you trust google or whatever.
In-app-browsers eliminates the concern because it runs in it's own webview
without the native hooks to call on the native code. I do believe it has a
messaging API so that you can post and receive messages between webviews,
therefore you could create any kind of mapping where it makes sense without
actually exposing the cordova API. But I never actually used the plugin myself
so I'm not really familiar with it. But yes, the typical path is to use the
in-app-browser for untrusted content. To be clear, normally when the term
`untrusted content` is used, it's referring to content that isn't bundled
inside the app binary.
On the typescript issue, what I do in my apps is I install `@types/cordova`,
which can be installed a devDependency. Then you can update your
`tsconfig.json` to include the file in the `files` directive:
It may look something like:
```
{
...
"files": [
"./node_modules/@types/cordova/index.d.ts"
]
}
```
`files` can be used in addition to your `include`/`exclude` directives as well.
So while `node_modules` is generally excluded, I can use `files` to import
specific files where it makes sense.
Also I'm not sure if that path is 100% correct, I'm going off memory. You may
have to peek into the directory to see where exactly `index.d.ts` is.
Normally this isn't necessary since normally you would just import the module
and the typings will be loaded via the import, but given that cordova is
actually more of a global that is just loaded in the environment, this
configuration makes the cordova types implicitly available across your project,
which matches reality.
GitHub link:
https://github.com/apache/cordova/discussions/427#discussioncomment-6768953
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
