02-20-2013 01:32 PM
I have a few apps in BlackBerry world. One in Java, one Air, one Android.
I'm working on a WebWorks/BBUI app for BB10 that will also go on BlackBerry World for sale.
This particular app talks to a users' own server via xmlHttp.open, xmlHttp.send etc.
When the user starts the application, it asks them to enter the name of THEIR server, where another system is running (and expecting connections from the mobile device running this applicatoin)
I have the application communicating with my web service from the app on a BB10 device but ONLY if I specify
<access uri="http://mydomain.com" subdomains="true" />
in the config.xml
If I use
<access uri="*" subdomains="true" />
From the Ripple emulator, this will work with "cross domain proxy" disabled.
I have enabled cross origin resourse sharing on my test servers enable-cors.org and this appears to work in Ripple.
Doing some research, I notice that this page:
Says that "The wildcard character (*) cannot be used for data accessed by XMLHttpRequest, in this case, you must explicitly specify each domain"
So, if that is that case, how the heck can I write a WebWorks application for the BlackBerry World store, with a web service that can connect to the customers OWN server ? Obviously, I can't add an access uri for their server to my config.xml, since it could be anything.
02-20-2013 04:29 PM
02-20-2013 04:50 PM
Thanks for the reply, but having my server be a proxy is a definite no-no in this case.
I'd looked at JSONP, but it would require major server changes, and I'm not even sure it would fix this issue.
My head hurts!
02-20-2013 09:25 PM
There is this...
<feature id="blackberry.app"> <param name="websecurity" value="disable" /> </feature>
Disables web security. Disabling web security allows you to access remote content from unknown sources during development. Before packaging your app for distribution, you should remove this setting. This feature is intended as a development convenience only. In production, all URIs should be known and should be whitelisted using the <access> element.
I'm not sure if it'd pass BBW with that param enabled
Your inability to proxy makes it sound like you're talking to the public interface of a service that provides sensitive information - e.g. a financial package
There is one solution that springs to mind although it's far from trivial to automate
Buy a domain with full DNS capability. Ideally one with remote DNS setup (you could do it manually but that's a bad option)
Now - having secured mymegasafefinancialapp.com whitelist the domain for XHR on subdomains
User signs up - selects a username - user name is added to DNS as a CNAME record
So I sign up telling the app I want to go to peardox.com and a new DNS record is created with
peardox.mymegasafefinancialapp.com CNAME peardox.com
That will get you around the situation without using a proxy
It's messy but will work
02-20-2013 10:10 PM
peardox is correct, we don't have an api to add a domain dynamically. You can disable it though. You can see the conversation that originally took place here:
02-21-2013 11:01 AM
I did see the websecurity option just after I posted (thanks for making me aware though). Which brings up these questions:
1. What ELSE will turning off websecurity do?
2. Will it pass review on BlackBerry World?
However, I fail to see how WebWorks can be angled as the technology to port over BB OS java apps if it can't be pointed to any back end service at runtime!
This IS possible from BBOS Java, Air, Android player, and on iOS, Android and Windows Phone/RT.
Could you imagine if Microsoft could sell Outlook, but it wouldn't connect to your own Exchange server, only their proxy?!
I have to think there's something amiss here in the API.
Perhaps if "websecurity" just does an allow all, then the name of the feature is the issue, not the functionality?
02-21-2013 12:30 PM
If you read the discussion pointed to above you'll see the thoughts of those who decided on this
We had a similar thread a few days ago over private networks
I reckon bb are trying to push devices as the only safe biz platform which sorta explains the restriction
I guess websecurity was added pretty recently, possibly in gold
Personally i'd put in a test app with websecurity just to see what happens
Yeah, it is a bit dumb