Feature Request
Motivation Behind Feature
In some development environments, an API is served over SSL via the protocol https
. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node's http
module. This is because it is always served without SSL.
I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal.
Feature Description
A new option --https
would be added to the command cordova run browser
--> cordova run browser --https
. The default option is false.
When this option is present, the node module https
will be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user.
When this option is not present, the current node module http
is used. Also, the projectURL
used in opening a browser window likewise switches based on the --https
option.
A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page.
#89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well.
Alternatives or Workarounds
Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs.
The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code.