breautek opened a new issue #1022: Document warnings on using remote source for <content> URL: https://github.com/apache/cordova-docs/issues/1022 I think there should be better warnings documented about using a remote url for the `config.xml` tag `<content src="..." />` It should be noted that using remote urls can be dangerous for security and is also against the terms of service of both the Apple App & Google Play stores. (Text of interest is in bold). Apple App Store policy at Section 4.7 HTML5 Games, Bots, etc[1] reads: >Apps may contain or run code that is not embedded in the binary (e.g. HTML5-based games, bots, etc.), as long as code distribution isn’t the main purpose of the app, the code is not offered in a store or store-like interface, and provided that the software (1) is free or purchased using in-app purchase; (2) only uses capabilities available in a standard WebKit view (e.g. it must open and run natively in Safari without modifications or additional software); **your app must use WebKit and JavaScript Core to run third-party software and should not attempt to extend or expose native platform APIs to third-party software**; (3) is offered by developers that have joined the Apple Developer Program and signed the Apple Developer Program License Agreement; (4) does not provide access to real money gaming, lotteries, or charitable donations; (5) adheres to the terms of these App Review Guidelines (e.g. does not include objectionable content); and (6) does not support digital commerce. Upon request, you must provide an index of software and metadata available in your app. It must include Apple Developer Program Team IDs for the providers of the software along with a URL which App Review can use to confirm that the software complies with the requirements above. Google Play Store policy "Malicious Behaviour" reads: > An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. **Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine and has limited access to Android APIs (such as JavaScript in a webview or browser).** While the text isn't as explicit as Apple, and the examples are mostly native file examples, it does say that this does not apply to code that has limited access to Android APIs such as Javascript but in Cordova, the javascript **does** have full access to android APIs via the cordova bridge. Currently the [documentation](https://github.com/apache/cordova-docs/blob/master/www/docs/en/dev/config_ref/index.md#content) does not warn the users of this, and I see on a rather frequent basis of this kind of usage, which I think is completely improper. [1] https://developer.apple.com/app-store/review/guidelines/ [2] https://play.google.com/about/developer-content-policy-print/
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
