Call Web Service on ANY host from WebWorks app?

lgingell · ‎01-07-2009

I have a few apps in BlackBerry world. One in Java, one Air, one Android.

I'm working on a WebWorks/BBUI app for BB10 that will also go on BlackBerry World for sale.

This particular app talks to a users' own server via xmlHttp.open, xmlHttp.send etc.

When the user starts the application, it asks them to enter the name of THEIR server, where another system is running (and expecting connections from the mobile device running this applicatoin)

I have the application communicating with my web service from the app on a BB10 device but ONLY if I specify

 <access uri="http://mydomain.com" subdomains="true" />

in the config.xml

If I use

 <access uri="*" subdomains="true" />

I receive a JavaScript alert on the device "http://otherdomain.com..." not allowed.

From the Ripple emulator, this will work with "cross domain proxy" disabled.

I have enabled cross origin resourse sharing on my test servers enable-cors.org and this appears to work in Ripple.

Doing some research, I notice that this page:

Securing WebWorks

Says that "The wildcard character (*) cannot be used for data accessed by XMLHttpRequest, in this case, you must explicitly specify each domain"

So, if that is that case, how the heck can I write a WebWorks application for the BlackBerry World store, with a web service that can connect to the customers OWN server ? Obviously, I can't add an access uri for their server to my config.xml, since it could be anything.

dSolver · ‎02-08-2012

Would it be possible for you to set your own server up as a proxy for the multitude of other servers?

Also, not sure if you know about JSONP already (wiki link)

And a similar problem but associated with JSONP (forum link)

Hope this helps!

Building amazing things with limited tools is my job.

lgingell · ‎01-07-2009

Thanks for the reply, but having my server be a proxy is a definite no-no in this case.

I'd looked at JSONP, but it would require major server changes, and I'm not even sure it would fix this issue.

My head hurts!

peardox · ‎03-20-2011

There is this...

<feature id="blackberry.app">
    <param name="websecurity" value="disable" />
</feature>

BUT...

Disables web security. Disabling web security allows you to access remote content from unknown sources during development. Before packaging your app for distribution, you should remove this setting.

This feature is intended as a development convenience only. In production, all URIs should be known and should be whitelisted using the <access> element.

I'm not sure if it'd pass BBW with that param enabled

Your inability to proxy makes it sound like you're talking to the public interface of a service that provides sensitive information - e.g. a financial package

There is one solution that springs to mind although it's far from trivial to automate

Buy a domain with full DNS capability. Ideally one with remote DNS setup (you could do it manually but that's a bad option)

Now - having secured mymegasafefinancialapp.com whitelist the domain for XHR on subdomains

User signs up - selects a username - user name is added to DNS as a CNAME record

So I sign up telling the app I want to go to peardox.com and a new DNS record is created with

peardox.mymegasafefinancialapp.com CNAME peardox.com

That will get you around the situation without using a proxy

It's messy but will work

Click the like button if you find my posts useful!

erikjohnzon · ‎09-21-2012

peardox is correct, we don't have an api to add a domain dynamically. You can disable it though. You can see the conversation that originally took place here:

https://github.com/blackberry/BB10-WebWorks-Framework/issues/392

@erikjohnzon
erjohnson@blackberry.com

lgingell · ‎01-07-2009

I did see the websecurity option just after I posted (thanks for making me aware though). Which brings up these questions:

1. What ELSE will turning off websecurity do?

2. Will it pass review on BlackBerry World?

However, I fail to see how WebWorks can be angled as the technology to port over BB OS java apps if it can't be pointed to any back end service at runtime!

This IS possible from BBOS Java, Air, Android player, and on iOS, Android and Windows Phone/RT.

Could you imagine if Microsoft could sell Outlook, but it wouldn't connect to your own Exchange server, only their proxy?!

I have to think there's something amiss here in the API.

Perhaps if "websecurity" just does an allow all, then the name of the feature is the issue, not the functionality?

peardox · ‎03-20-2011

If you read the discussion pointed to above you'll see the thoughts of those who decided on this

We had a similar thread a few days ago over private networks

I reckon bb are trying to push devices as the only safe biz platform which sorta explains the restriction

I guess websecurity was added pretty recently, possibly in gold

Personally i'd put in a test app with websecurity just to see what happens

Yeah, it is a bit dumb

Click the like button if you find my posts useful!

Welcome!

Web and WebWorks Development

Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?

Re: Call Web Service on ANY host from WebWorks app?