Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Web and WebWorks Development

Reply
New Contributor
muthuraja
Posts: 6
Registered: ‎12-05-2012
My Device: BB10 Dev Alpha B
My Carrier: AT

In Z30, Problem in loading Archived JS file from HTTPS URI

[ Edited ]

Hi,

 

In bb10 Webworks Application, we are using iframe. This iframe loads the page https://xxx.yyy.com/child.html.
We want to include the js file from the local(Archived Bar file) to this page. So We inserted the script like below in Child.html.

<script type="text/javascript" src="local:///js/custom.js"></script>

We added the below required permission in Config.xml also.
<access uri="https://xxx.yyy.com" subdomains="true" >

But we got the Error, it says

"[blocked] The page at https://xxx.yyy.com/child.html ran insecure content from local:///js/custom.js"

 

Working Scenario:

1. Tested the same scenario With HTTP and HTTPS URI in Z10, Q10 and Q5 devices, its working fine.
2. Tested the same scenario With HTTP URI in Z30 device, its working fine.

 

So its not working only with Accessing from HTTPS uri in Z30 Device.

 

Please suggest us on how to resolve it in Z30?

Please use plain text.
BlackBerry Development Advisor
twindsor
Posts: 807
Registered: ‎07-15-2008
My Device: Z10
My Carrier: Bell

Re: In Z30, Problem in loading Archived JS file from HTTPS URI

What OS versions were you testing with?

 

This seems like it would be standard browser security that would block this - you're injecting local JavaScript into a secure page.

 

Perhaps you need to turn off WebSecurity in your app?

Tim Windsor
Application Development Advisor II
Please use plain text.
Developer
peardox
Posts: 1,229
Registered: ‎03-20-2011
My Device: Playbook, Z10 LE, Dev Alpha B, 2x Dev Alpha C
My Carrier: 3, Orange, Vodafone

Re: In Z30, Problem in loading Archived JS file from HTTPS URI

[ Edited ]

Is the case by any chance that you're trying one of the Goolge sites?

 

These can be a nightmare so you constantly run into this sort of issue as you get passed around to some server that fulfils the request

 

As Tim says sticking the following in your config.xml will make the problem go away without fail

 

	<feature id="blackberry.app">
		<param name="websecurity" value="disable" />
	</feature>

 

 

 

 

 




Click the like button if you find my posts useful!
Please use plain text.
BlackBerry Development Advisor
anzor_b
Posts: 164
Registered: ‎09-24-2012
My Device: White BlackBerry 10
My Carrier: Bell

Re: In Z30, Problem in loading Archived JS file from HTTPS URI

This behavior is by design starting with 10.2+. This is a security feature that you cannot (and should not turn off).

 

You are trying to use cross-protocol communication. Your iframe is loaded from https:// and trying to access local://

 

What you need to do, is use the secure postMessage() function to communicate between your iframe and parent window. 

 

Here's the flow:

 

Load the local files from the local index.html that contains the iframe.

Have a window.onmessage = function(){} function, where you trigger what you need from custom.js based on what you send from the iframe.

In the iframe, call window.parent.postMessage("doSomething");

The parent will receive this message, and trigger the correct functions.

 

This is how it works in Chrome and all other browsers, and complies with standard web security principles.

I am putting together a KB article which covers this kind of use case. (should be ready within a few days)

Please use plain text.
BlackBerry Development Advisor
anzor_b
Posts: 164
Registered: ‎09-24-2012
My Device: White BlackBerry 10
My Carrier: Bell

Re: In Z30, Problem in loading Archived JS file from HTTPS URI

Please use plain text.
Developer
peardox
Posts: 1,229
Registered: ‎03-20-2011
My Device: Playbook, Z10 LE, Dev Alpha B, 2x Dev Alpha C
My Carrier: 3, Orange, Vodafone

Re: In Z30, Problem in loading Archived JS file from HTTPS URI

Class A, B and C networks need to ignore this

They are trusted anyway but were missed in earlier releases

This is as I understand why web security became switchable



Click the like button if you find my posts useful!
Please use plain text.