Manifest customization / x-domain ajax

[AndryBray]

Hello @trevorlinton is there any way to build the app with a custom node-webkit manifest?

In my situation I need to make some Ajax request from embed:// app to remote server. So maybe I need to enabled node-remote https://github.com/rogerwang/node-webkit/wiki/Manifest-format#node-remote

Trying do make some ajax request I'm getting a warning "Application warning (stderr)" (inside the Tint Compiler log) but anyway I can get data from remote. I think is something related to x-domain ajax request. The request works but why these warning? is this normal?

[AndryBray]

I have just realized that the Tint console shows "Warning" even if I type console.log('something') so about x-domain ajax, I was printing debug infos and it should be ok, could you confirm?

Anyway do you plan to let us customize package.json manifest of nodewebkit? (it could be inside a new tab "Advanced" on Tint compiler)

Thank you

[AndryBray]

Hi @trevorlinton I think it's important to let us customize the package.json manifest...

I need to set the "node-remote" parameter but I can't find a way with Tint Compiler. Please let me know if you plan to do it or if there is some workaround, thank you

[trevorlinton]

@AndryBray the node-remote parameter (if i'm correct) enables nodejs for resources outside of embed:// app:// file:// chrome:// and nw:// schemas. This is a huge security risk. This would allow a remote web page to read, write or do anything on your local computer and is purposely disabled for security concerns.

Consider if someone were to break into the remote server. They could format the hard drive, install a virus or conduct a huge amount of malicious attacks on every person who had your app installed. In addition this violates rules set by the Mac Appstore and Windows Store. If this feature is enabled it would result in a black list of all applications built with Tint.

You should be able to issue ajax calls, iframe in remote content or otherwise pull resources from servers but they do not have nodejs/Tint API's enabled and are sandboxed.

Am I mis-interpreting your request? Perhaps a better detailed use case will help me resolve your issue.

[AndryBray]

@trevorlinton yes I know, I was thinking to allow only certain domain to access the app from iframe (image a dynamic remote dashboard app which will launch / open other windows) The main reason is to avoid a lot of local updates as anyway the app should be online to work.

What about Ajax requests sent from embed:// to remote url? AppStore will block these as well?

Anyway, will you provide a tool to customize other params of manifest?

Thank you

[trevorlinton]

@AndryBray Ajax requests are fine, are you getting a warning or error if you try to access a resource using an ajax request?

We're working on support the features within the manifest from Tint Compiler. Are there other options other than node-remote that you need to customize?

[AndryBray]

At the moment I don't need exactly one. But it could be nice to have the possibility to write/override the Tint default params (of package.json), of course leaving these are mandatory to build the Tint custom wrapper/main.js

[AndryBray]

@trevorlinton Another question:

What do you think about a design like that:

local app (embed://) has a dashboard from where you can open other Tint windows with remote url? Is the same a security problem about AppStore validation? What is the best way to handle web / remote app inside local windows but with control between windows? I'd like to know when window A is opened asking from window B without ajax.

[trevorlinton]

@AndryBray You can use iframe's to include remote URL's, in addition use nwdisable nwfaketop to isolate the sub-rendered page.

If you need a web browser you can open the default web browser with Application.openURI.

It's best to not try and replicate a web browser with Tint, as its not sandboxed and secure as web browsers are.

[AndryBray]

@trevorlinton I'm not trying to replicate a browser with tint. As I told you before, i have a web app, so many updates in beta stage... I think it's better to reload without cache from user side than download and install all the package... So supposing I will run web apps under iframe in each tint window...

It could be a good solution to use window.postMessage building a custom logic to let iframe communicate with parent window? Is it enough isolated about security?

[AndryBray]

Hi @trevorlinton any news about that?

About postMessage I mean this: https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage Does it solve the security problem?

Thank you

[trevorlinton]

@AndryBray I built a unit test and was able to post messages to the application context from the hosted iframe'd webapp running on HTTP. I didn't find any issues, in addition the security contexts are limited from one another (however i'd still advice to thoroughly check any user content included just to be safe).

Are you having difficulties with this?

[trevorlinton]

@AndryBray I built a unit test and was able to post messages to the application context from the hosted iframe'd webapp running on HTTP. I didn't find any issues, in addition the security contexts are limited from one another (however i'd still advice to thoroughly check any user content included just to be safe).

Are you having difficulties with this?

[AndryBray]

Hi @trevorlinton to be honest I still haven't tried it because I was busy. I just wanted to have a confirmation from you because you can know much better than me if this is a good way to do it.

Thank you for your time.

[trevorlinton]

@AndryBary I can give you an example app. Essentially you can do one of two things, if you need to communicate between two windows you can use the "global" object thats available on all windows, however only the resources loaded in your application will be allowed to read and write to this object. If you need to communicate to and from an iframe you can use window.postMessage and window.onMessage, the iframe (and vise versa) can pass serializable objects through this to give instructions or pass data without any security risks or any violation of app store rules.

I would say it may not be the best idea to eval the results you can back from an onMessage for obvious security issues :)

Let me know if you have any problems with this method. I'll keep this open until I hear back.

[AndryBray]

@trevorlinton that's what I was thinking about to build a custom messages system (instead of using eval).

If you have some code I would appreciate it.. if you have to write it, don't worry and don't waste precious time for this.

Thank you again