Since we are talking about how to implement the whitelist, I think we
should also have a discussion about how/when the whitelist is used. I've
put together a quick list of navigation options. It would be good to agree
on how these should behave on each platform. I gathered these based on
comments I have seen in the PhoneGap forum. I added a proposed action to
get the conversation started.
- iframe within a cordova page - user just wants to display some other
content within the page and sandbox it in an iframe. They do not want to
have to worry about any PG commands getting invoked by the pages loaded in
the iframe and do not want to have to specify a whitelist for the iframe.
Although I have seen requests where people DO want to run PG commands from
the iframe - although I'm not sure I understand why.
- childbrowser plugin - I have an app that tracks my blood donations. I
want to go out to the Red Cross web site to find the next donations in my
area. In this case I don't want to use the whitelist and I do not want any
PG commands invoked from within the Childbrowser (other than to deal with
the events from the Childbrowser). There may be cases where the user does
want PG commands within a ChildBrowser - with the new Web View /Cleaver
implementations this could be an option.
- ajax requests - enforce the whitelist
- Not sure how we should deal with JavaScript invocations to open a new
page?
Should these open in the webview or open in the mobile browser (in the
case of iOS this will leave the app with no way to return via a back button
unless the Childbrowser is used).
One would suspect that you would want a remote URL to open in the
mobile browser UNLESS you are loading PhoneGap.js from that location as
well and thus want it in the webView (in which case the whitelist is
enforced)
- window.location = url
- <a href=url>new local or remote location</a>
- Need a way to force opening in the browser (not the webview) and
ignoring the whitlist check.
I'm sure have missed some conditions. But, I think we at least need to
decide how these should / can behave and implement them consistently across
the platforms. At the moment I don't think the behavior is consistent.
-becky
