cordova-plugin-file
cordova-plugin-file copied to clipboard
apache
Solve CORS issue serving local files
When loading the app from remote server, loading fonts from assets will be denied due to the CORS violation. This change adds Access-Control-Allow-Origin to the local response to prevent it from failing.
Platforms affected
Android
Motivation and Context
Fix CORS issue when trying to access local files (e.g. fonts) while serving the application from remote host.
Description
Add Access-Control-Allow-Origin header to the local response.
Testing
Use CSS and create font-face with source in local assets. Load the page from remote host.
Checklist
- [X] I've run the tests to see all new and existing tests pass
- [ ] I added automated test coverage as appropriate for this change
- [ ] Commit is prefixed with
(platform)if this change only applies to one platform (e.g.(android)) - [ ] If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
- [ ] I've updated the documentation if necessary
Load the page from remote host.
FYI, Using a remote host while using cordova plugins (or otherwise accessing native device APIs) is against the terms of use for both Apple's App Store & Google's Play Store. Generally speaking, the app's codebase should be bundled inside the app binary. Remote code can be loaded only if can operate in a standard unmodified webview. (e.g. they use standard browser features).
Using a remote host while using cordova plugins is against the terms of use for both Apple's App Store & Google's Play Store
This is absolutely not true. As long as you don't change the primary purpose of the app, you are allowed to serve it from remote server. Our apps are in both Apple and Google stores for years, all served from our servers, without any complaints.
This is absolutely not true. As long as you don't change the primary purpose of the app, you are allowed to serve it from remote server. Our apps are in both Apple and Google stores for years, all served from our servers, without any complaints.
Doesn't matter if you are doing it without getting caught. It's important to understand that remotely hosting in itself is not an issue, it's remotely loading in executable code that uses native device APIs. It breaks Section 4.7.1 which contains text such as...
only use capabilities available in a standard WebKit view (e.g. it must open and run natively in Safari without modifications or additional software); and use WebKit and JavaScript Core to run third-party software and should not attempt to extend or expose native platform APIs to third-party software;
For Android, it's not as clear, but I think it definitely breaks their Device and Network Abuse Policy
... Likewise, an app may not download executable code (e.g., dex, JAR, .so files) from a source other than Google Play. This restriction does not apply to code that runs in a virtual machine or an interpreter where either provides indirect access to Android APIs (such as JavaScript in a webview or browser).
The reason why I think it definitely breaks the policy is because the Cordova Webview exposes native device APIs to the javascript. I believe their intent in their exception is that native browser APIs are well sandboxed and cannot add code that calls on more device APIs, which simply isn't the case in the Cordova environment.
And for these reasons, I think from the Apache Cordova standpoint, we have to be careful on features/code that either makes it easy or probable of term breaking. From what I understand, CORS here is not an issue if the app is loaded locally as intended, as the origin will be the same. It's only problematic when you use this plugin from a remote source rather than a local device source.
@breautek, I am not a lawyer and cannot argue on that, but there are numerous discussions on the web on this subject and they all conclude that Cordova apps can run remote code by design and there is no way to prevent that. Our apps don't even have www folder inside, as even Cordova plugins JS files are loaded remotely... As long as the app is legit, it is a huge power being able to push updates immediately without waiting for users to update their apps in the store.