GitHub user ooo2003003v2 edited a comment on the discussion: Does allow list requires importing cordova.js to work correctly?
> > I wonder if I need to import cordova.js into my project for the allow > > list/whitelist to work correctly? > > I don't believe so because the allow list plugin does not have a JS interface > and is something that I believe is loaded on load, rather than initialised in > the JS runtime. Any plugins that offer a JS API does need `cordova.js` since > it is also responsible for loading in the plugin JS modules as well as > providing the native bridge to make native API calls. > > But loading your web app remotely is also not a supported configuration and > is not something really tested for. The web app should be bundled with the > binary. > > > Another question is that I saw that the _system target"window.open(url, > > '_system')" only mentioned in the cordova-plugin-inappbrowser. > > `_system` is a in-app browser plugin specific concept. If the plugin is not > installed (also means you need the binary bundled `cordova.js`), then you'll > be using the browser-native > [window.open](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) > which does not have a `_system` keyword, and thus will treat `_system` has a > context name instead. > > Also note that by default the in app browser plugin doesn't clobber > `window.open`. You'd need to explicitly clobber (if you desire to force all > `window.open` calls to use the plugin by reassigning it to the plugin method. > See > https://github.com/apache/cordova-plugin-inappbrowser?tab=readme-ov-file#windowopen > > To re-iterate, If you're loading your web app remotely, then using > `cordova.js` to use native device APIs can be considered breaking user > agreements and can also be considered a RCE (Remote Code Execution) > vulnerability. This vulnerability may exists even if you're remotely hosted > code does not make use of `cordova.js` but `cordova.js` is still available to > be loaded into your web app environment. > > So if you plan to use Cordova to provide a remote hosted application that > uses standard browser features, then consider [Progressive Web > App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) > deployment instead. It will be far more secure. > > If you're using Cordova because you need access to native device APIs, then > you should architect your application to be able to run offline locally on > device. I see. Thx for anwsering my questions. I'm still a bit confused, so it's incorrect that setting the `content` prop in the xml config to an extenal site? And, in theory, if I move all the plu-in js files and `cordova.js` to the extenal site folder, will the allow list should works properly? Or the list only works if the site stores inside the www folder? GitHub link: https://github.com/apache/cordova/discussions/512#discussioncomment-11375278 ---- This is an automatically sent email for issues@cordova.apache.org. To unsubscribe, please send an email to: issues-unsubscr...@cordova.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
