Good point julio. Local development for live reloading is a valid reason
to use remote urls. I still think it's not valid
if the --release flag is present. So my initial reaction is to allow
usage while in debug mode, by disallow in release mode.
Or at very least provide a scary warning if a remote url is used in
release mode.
On 2019-10-22 1:05 p.m., julio cesar sanchez wrote:
The content tag is also used for pointing to local development servers and
benefit from live reloading, so how do you plan to deprecate it only for
remote urls?
El mar., 22 oct. 2019 a las 17:46, Norman Breau (<nor...@normanbreau.com>)
escribió:
This is an extension of the issue I raised for adding warnings to the
documentation which can be found at
https://github.com/apache/cordova-docs/issues/1022
In my opinion there are several reasons why using a remote url (such as
https://myserver.com/) to host a cordova app is bad practice.
1. If your app uses native APIs, you're breaking the terms of service of
the Apple and Google Play app stores. See Section 2.5.2 Software
Requirements of apples guidelines.[1]
2. Extending onto #1, it makes the app must more easier to become
vulnerable to exploits, because any other
third party code loaded onto the website may have access to the cordova
APIs.
3. Apple & Google expects your app to be able to launch and "work"
without a data connection. If your index file is
remote, then your app cannot load to provide the user proper feedback
that they require an internet connection. (See section 2.1 App
Completeness & 4.2 Minimum Functionality apple guidelines)[1].
4. Using a remote URL generally causes a lot of CORs related issues when
using non-standard protocols such as cdvfile:// (see
https://github.com/apache/cordova-plugin-file/issues/352)
5. Even if your app does not use native APIs, and it's just repackaging
a website, this goes against section 4.2 on apples policy[1].
I don't exactly know how popular using <content src="remoteurl" /> is,
but I do see it frequent enough on reported issues. This is kind of
frightening.
So given the reasons I listed above, I think allowing remote sources in
the <content> tag should be deprecated, and eventually removed in the
future, of course allowing time for developers to refactor their app to
bundle their code within the app.
Sources:
[1] https://developer.apple.com/app-store/review/guidelines/#design
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org
