ContextQMD
Back to Cordova

2022 04 15

slack-digest/2022-04-15.md

latest5.0 KB
Original Source

Cordova Slack Digest

Fri, 15 Apr 2022 08:21:40 GMT

User count: 4688

Join the conversation at slack.cordova.io

Channel #general (15 messages)

Thu, 14 Apr 2022 20:40:58 GMT

@pawelkolodziej81 says

Hello, I would like to ask whether is it possible to configure cordova to mimic custom domain when serving local files?

Thu, 14 Apr 2022 20:41:39 GMT

@pawelkolodziej81 says

I mean some thing like www server with binded domain and ssl certificate of mine.

Thu, 14 Apr 2022 21:47:06 GMT

@norman137 says

Android has something called WebViewAssetLoader which is implemented in cordova-android@10. It "hijacks" a domain so-to-speak and makes it appear as if the assets are coming from a specific domain that you choose. By default, this is just simply localhost. You can't however specify your own SSL certificate (and there shouldn't be a need to either). The WebViewAssetLoader essentially serves as a proxy to the local filesystem, so that you don't use the file:// protocol directly. I choose the word "hijack" earlier because if you had a real server reachable at a domain, then your app won't be able to reach your real server using that domain if it's the domain you choose for your local content. Unlike iOS, you can only choose between http and https schemes.

iOS has something similar as well. I'm not that knowledgable on the ios native stuff. I don't recall what it's called on the native end, but allows you to specify a protocol and a domain to load your web assets from, like the android counterpart. One distinct difference however is that you can't choose well-known protocols, including http or https, among others. By default cordova will use app:// for iOS.

Thu, 14 Apr 2022 22:04:14 GMT

@pawelkolodziej81 says

I would like to restrict CORS policy for backend to accept requests only from specific hosts.

Thu, 14 Apr 2022 22:05:46 GMT

@pawelkolodziej81 says

localhost in such case is not specific so it would be nice to support special dedicated domain which i own certificate for.

Thu, 14 Apr 2022 22:08:55 GMT

@norman137 says

Anybody can choose any domain for the purpose of their own app schemes so that metric isn't satisfactory if you're trying to lock down to acceptable callers to only your app.

Keep in mind that CORS is a security-feature for end browser users, it's not a security feature for servers.

Thu, 14 Apr 2022 22:11:54 GMT

@pawelkolodziej81 says

But with ssl I suppose I cannot abuse domain so easily?

Thu, 14 Apr 2022 22:14:14 GMT

@dpogue says

CORS won't stop someone from manually constructing requests with fake Origin headers in Java or Swift/ObjC or cURL

Thu, 14 Apr 2022 22:14:52 GMT

@pawelkolodziej81 says

So what is the value of CROS?

Thu, 14 Apr 2022 22:15:23 GMT

@norman137 says

The main purpose of CORS is to prevent XSS attacks

Thu, 14 Apr 2022 22:15:44 GMT

@norman137 says

CORS doesn't really have any value in cordova apps, but we have no way to disable the protocol in the underlying web browser.

Thu, 14 Apr 2022 22:16:24 GMT

@norman137 says

And it's only effective if the browser honours the CORS protocol.

Thu, 14 Apr 2022 22:17:32 GMT

@norman137 says

Generally if you want to protect APIs from being maliciously called you will need ot authenticate the user in some way.

Thu, 14 Apr 2022 22:20:49 GMT

@pawelkolodziej81 says

Ok, thanks for the explanation.

Thu, 14 Apr 2022 22:23:55 GMT

@norman137 says

I know native libraries tends to use app id and signatures as well, like google maps for example will only work on the apps that has the app id that I allow the key to have access to, and the app must be signed with the keystore that matches the signature that I've provided but I'm not sure how they can accomplish that securely tbh.

Generally speaking, you can never really trust the client.

Channel #cordova-ios (1 messages)

Fri, 15 Apr 2022 04:36:17 GMT

@dpogue says

https://news.ionic.io/en/cordova-capacitor-ios-apps-expired-certificates-require-regeneration-of-ios-provisioning-profiles

Channel #cordova-android (2 messages)

Thu, 14 Apr 2022 11:00:07 GMT

@leo.skrilax91 says

Hi ! After several days of search and test i come for another help about soft keyboard handling, actually when i hit an imput, my keyboard hide bottom of my app and i can't scroll in the app, i've tested all of internet solution but nothing, my app is not on fullscreen, i have no plugin that change this. i have set windowSoftInputMode to adjustPan either on config.xml and AndroidManifest.xml. I also have tested to make a ScrollView but nothing append. Someone have a solution ? Norman tell me that i can manually do it with js but i want to do it in a better way if possible I use vuejs on cordova android 10

Thu, 14 Apr 2022 14:13:22 GMT

@dpogue says

From what I recall, that is the behaviour of windowSoftInputMode="adjustPan"