The following is a guest post from Ed Bourne:
Help! How can I write a BlackBerry 10 app that connects to an unknown server from BlackBerry 10 WebWorks?
When building a WebWorks or Cordova app that calls AJAX/XMLHttpRequests (i.e., JSON/OData, etc.), you may require your app to be flexible with regards to the destination for your calls. You might want your app to work the same when connecting to a test, QA or Production URI. Or you might want to deploy your app to BlackBerry World, where the app is destined to deploy to the work space of a customer with access to a corporate URI.
In these cases, you can’t whitelist the URIs in your application since you don’t know the URI you want to access at compile time. You also can’t use a wild card in your config.xml of:
<access uri ="*"/>
Why? Because AJAX calls are specifically barred from this; they require you to whitelist specific URIs. See this link for more details.
However, there is an alternative in the form of a param option in the config.xml:
<feature id="blackberry.app"> <param name="websecurity" value="disable" /> </feature>
Toggling this on in your config.xml will work, but you will find a warning that this should NOT be used in production. Doing so will turn off the security measures that protect your application from untrusted content. Traditionally, a browser’s security model prevents content from different domains from interacting with each other, allowing developers to more easily include untrusted content without worrying about its effects. Content from a different domain (included via iframes, XHR, scripts or anything else) is limited from interacting with your content, reducing the risk posed by malicious code. Does this mean doing so is unsafe in all situations? No, but developers should be especially cautious when including third-party content.
However, apps that are deployed into the work perimeter are generally safe. The workspace is managed by your IT department, is encrypted (personal is optional), and applications that run in the work space are all whitelisted by IT. All traffic from an app in the workspace is routed through your corporate network, which is protected by proxy rules, a firewall and other security measures.
In practice, an app deployed with web security disabled in the workspace is perfectly fine. It’s like storing your password in the clear, in a safe: you’re covered.
For more details on the workspace and workspace security, have a look at this document. Page 49 details how the BlackBerry device service and devices protect work and personal data and apps, and page 118 discusses how the BlackBerry 10 OS uses sandboxing to protect app data.