GitHub user breautek added a comment to the discussion: Does allow list requires importing cordova.js to work correctly?
> I wonder if I need to import cordova.js into my project for the allow > list/whitelist to work correctly? I don't believe so because the allow list plugin does not have a JS interface and is something that I believe is loaded on load, rather than initialised in the JS runtime. Any plugins that offer a JS API does need `cordova.js` since it is also responsible for loading in the plugin JS modules as well as providing the native bridge to make native API calls. But loading your web app remotely is also not a supported configuration and is not something really tested for. The web app should be bundled with the binary. > Another question is that I saw that the _system target"window.open(url, > '_system')" only mentioned in the cordova-plugin-inappbrowser. `_system` is a in-app browser plugin specific concept. If the plugin is not installed (also means you need the binary bundled `cordova.js`), then you'll be using the browser-native [window.open](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) which does not have a `_system` keyword, and thus will treat `_system` has a context name instead. Also note that by default the in app browser plugin doesn't clobber `window.open`. You'd need to explicitly clobber (if you desire to force all `window.open` calls to use the plugin by reassigning it to the plugin method. See https://github.com/apache/cordova-plugin-inappbrowser?tab=readme-ov-file#windowopen To re-iterate, If you're loading your web app remotely, then using `cordova.js` to use native device APIs can be considered breaking user agreements and can also be considered a RCE (Remote Code Execution) vulnerability. This vulnerability may exists even if you're remotely hosted code does not make use of `cordova.js` but `cordova.js` is still available to be loaded into your web app environment. So if you plan to use Cordova to provide a remote hosted application that uses standard browser features, then consider [Progressive Web App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) deployment instead. It will be far more secure. If you're using Cordova because you need access to native device APIs, then you should architect your application to be able to run offline locally on device. GitHub link: https://github.com/apache/cordova/discussions/512#discussioncomment-11375102 ---- This is an automatically sent email for issues@cordova.apache.org. To unsubscribe, please send an email to: issues-unsubscr...@cordova.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
