Manifest customization / x-domain ajax #84
Comments
|
I have just realized that the Tint console shows "Warning" even if I type console.log('something') Anyway do you plan to let us customize package.json manifest of nodewebkit? (it could be inside a new tab "Advanced" on Tint compiler) Thank you |
|
Hi @trevorlinton I need to set the "node-remote" parameter but I can't find a way with Tint Compiler. |
|
@AndryBray the node-remote parameter (if i'm correct) enables nodejs for resources outside of embed:// app:// file:// chrome:// and nw:// schemas. This is a huge security risk. This would allow a remote web page to read, write or do anything on your local computer and is purposely disabled for security concerns. Consider if someone were to break into the remote server. They could format the hard drive, install a virus or conduct a huge amount of malicious attacks on every person who had your app installed. In addition this violates rules set by the Mac Appstore and Windows Store. If this feature is enabled it would result in a black list of all applications built with Tint. You should be able to issue ajax calls, iframe in remote content or otherwise pull resources from servers but they do not have nodejs/Tint API's enabled and are sandboxed. Am I mis-interpreting your request? Perhaps a better detailed use case will help me resolve your issue. |
|
@trevorlinton What about Ajax requests sent from embed:// to remote url? Anyway, will you provide a tool to customize other params of manifest? Thank you |
|
@AndryBray Ajax requests are fine, are you getting a warning or error if you try to access a resource using an ajax request? We're working on support the features within the manifest from Tint Compiler. Are there other options other than node-remote that you need to customize? |
|
At the moment I don't need exactly one. |
|
@trevorlinton What do you think about a design like that: local app (embed://) has a dashboard from where you can open other Tint windows with remote url? |
|
@AndryBray You can use iframe's to include remote URL's, in addition use nwdisable nwfaketop to isolate the sub-rendered page. If you need a web browser you can open the default web browser with Application.openURI. It's best to not try and replicate a web browser with Tint, as its not sandboxed and secure as web browsers are. |
|
@trevorlinton It could be a good solution to use window.postMessage building a custom logic to let iframe communicate with parent window? Is it enough isolated about security? |
|
Hi @trevorlinton About postMessage I mean this: https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage Thank you |
|
@AndryBray I built a unit test and was able to post messages to the application context from the hosted iframe'd webapp running on HTTP. I didn't find any issues, in addition the security contexts are limited from one another (however i'd still advice to thoroughly check any user content included just to be safe). Are you having difficulties with this? |
1 similar comment
|
@AndryBray I built a unit test and was able to post messages to the application context from the hosted iframe'd webapp running on HTTP. I didn't find any issues, in addition the security contexts are limited from one another (however i'd still advice to thoroughly check any user content included just to be safe). Are you having difficulties with this? |
|
Hi @trevorlinton Thank you for your time. |
|
@AndryBary I can give you an example app. Essentially you can do one of two things, if you need to communicate between two windows you can use the "global" object thats available on all windows, however only the resources loaded in your application will be allowed to read and write to this object. If you need to communicate to and from an iframe you can use window.postMessage and window.onMessage, the iframe (and vise versa) can pass serializable objects through this to give instructions or pass data without any security risks or any violation of app store rules. I would say it may not be the best idea to eval the results you can back from an onMessage for obvious security issues :) Let me know if you have any problems with this method. I'll keep this open until I hear back. |
|
@trevorlinton If you have some code I would appreciate it.. if you have to write it, don't worry and don't waste precious time for this. Thank you again |
Hello @trevorlinton
is there any way to build the app with a custom node-webkit manifest?
In my situation I need to make some Ajax request from embed:// app to remote server.
So maybe I need to enabled node-remote https://github.com/rogerwang/node-webkit/wiki/Manifest-format#node-remote
Trying do make some ajax request I'm getting a warning "Application warning (stderr)" (inside the Tint Compiler log) but anyway I can get data from remote.
I think is something related to x-domain ajax request.
The request works but why these warning? is this normal?
The text was updated successfully, but these errors were encountered: