Windows 8 Security and Dynamic Code

Windows 8 Security and Dynamic Code

Recently while working on bringing Apache Cordova to Windows 8 I came across an issue with dynamic content.  The Apache Cordova mobile-spec project, which defines all of our tests,  has some tricks for loading a configurable cordova-js file without having to modify every html page.  It seems the security model does not like to script tags written at runtime with document.write ( a poor practice anyway )

Here is the original source with the issue :

var cordovaPath = scripts[scripts.length - 1].src.replace('cordova.js', 'cordova.windows8.js');
document.write('<script type="text/javascript" charset="utf-8" src="' + cordovaPath + '"></script>');

Here is the error message, with a helpful link to the docs :

Unable to add dynamic content. A script attempted to inject dynamic content, or elements previously modified dynamically, that might be unsafe.
For example, using the innerHTML property to add script or malformed HTML will generate this exception. Use the toStaticHTML method to filter dynamic content, or explicitly create elements and attributes with a method such as createElement.
For more information, see

In order to dynamically load a script, I had to change to use the DOM APIs, here is the updated working source :

for (var n = 0; n < scripts.length; n++) {
    if (scripts[n].src.indexOf('cordova.js') > -1) {
        var cordovaPath = scripts[n].src.replace('cordova.js', 'cordova.windows8.js');
        var scriptElem = document.createElement("script");
        scriptElem.src = cordovaPath;

  1. Jeff K
    Jeff K10-04-2012

    Thanks for the info Jesse. I have been looking for details on Win8 support in PhoneGap and would be interested in getting involved in making this support a reality. Can you share anything about Win8 support in PhoneGap (and how to get involved)? Thanks!

  2. Jesse

    Windows 8 will be mainline Apache Cordova shortly, you can contribute via the same processes as Cordova.

    The majority of the work is JavaScript, so it is happening here :

    Defects are tracked here :

    My own forks are all on github,

    No Twitter Messages