This is an extension of the issue I raised for adding warnings to the
documentation which can be found at
https://github.com/apache/cordova-docs/issues/1022
In my opinion there are several reasons why using a remote url (such as
https://myserver.com/) to host a cordova app is bad practice.
1. If your app uses native APIs, you're breaking the terms of service of
the Apple and Google Play app stores. See Section 2.5.2 Software
Requirements of apples guidelines.[1]
2. Extending onto #1, it makes the app must more easier to become
vulnerable to exploits, because any other
third party code loaded onto the website may have access to the cordova
APIs.
3. Apple & Google expects your app to be able to launch and "work"
without a data connection. If your index file is
remote, then your app cannot load to provide the user proper feedback
that they require an internet connection. (See section 2.1 App
Completeness & 4.2 Minimum Functionality apple guidelines)[1].
4. Using a remote URL generally causes a lot of CORs related issues when
using non-standard protocols such as cdvfile:// (see
https://github.com/apache/cordova-plugin-file/issues/352)
5. Even if your app does not use native APIs, and it's just repackaging
a website, this goes against section 4.2 on apples policy[1].
I don't exactly know how popular using <content src="remoteurl" /> is,
but I do see it frequent enough on reported issues. This is kind of
frightening.
So given the reasons I listed above, I think allowing remote sources in
the <content> tag should be deprecated, and eventually removed in the
future, of course allowing time for developers to refactor their app to
bundle their code within the app.
Sources:
[1] https://developer.apple.com/app-store/review/guidelines/#design
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org