GitHub user breautek added a comment to the discussion: Google Autocomplete Referrer
> I don't get your problem. You are not bound to "localhost" as an origin. You > can set, whatever you want with > > ``` > <preference name="hostname" value="my-custom-origin.com" /> > ``` > > This would for example set as request url `https://my-custom-origin.com` on > Android, on iOS it would be `app://my-custom-origin.com`. The problem is when third-party services issues API keys that are tied to a domain. In web environments the API keys are typically available to end users and in a traditional web development, that's okay because no one can take that API key and use it unless if they can take control over the DNS of your domain. However android webviews allows you to choose any domain origin and it's treated as trustworthy. So API keys that is tied to a domain can theoretically be used even if you're not the owner of that API key. It's another reason why Google has been limited access to JS APIs to webviews, though I don't think they currently limit access to JS apis, just OAUTH atm. GitHub link: https://github.com/apache/cordova/discussions/560#discussioncomment-13868122 ---- This is an automatically sent email for issues@cordova.apache.org. To unsubscribe, please send an email to: issues-unsubscr...@cordova.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
