Feature Request
Motivation Behind Feature
In some development environments, an API is served over SSL via the protocol https. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node's http module. This is because it is always served without SSL.
I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal.
Feature Description
A new option --https would be added to the command cordova run browser --> cordova run browser --https. The default option is false.
When this option is present, the node module https will be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user.
When this option is not present, the current node module http is used. Also, the projectURL used in opening a browser window likewise switches based on the --https option.
A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page.
#89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well.
Alternatives or Workarounds
Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs.
The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code.
Feature Request
Motivation Behind Feature
In some development environments, an API is served over SSL via the protocol
https. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node'shttpmodule. This is because it is always served without SSL.I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal.
Feature Description
A new option
--httpswould be added to the commandcordova run browser-->cordova run browser --https. The default option is false.When this option is present, the node module
httpswill be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user.When this option is not present, the current node module
httpis used. Also, theprojectURLused in opening a browser window likewise switches based on the--httpsoption.A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page.
#89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well.
Alternatives or Workarounds
Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs.
The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code.