2

The iOS license terms states:

3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's builtin WebKit framework, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

Which is a slight change to the terms as discussed here: Does javascript on iOS have to be downloaded *by* the WebKit framework in addition to executing within its framework?

Which arguably implies you CAN download and execute Javascript if its executed within a UIWebView as UIWebView is part of the builtin WebKit framework.

What is the situation regarding downloading and executing Javascript using not UIWebView but JavaScriptCore. Is JavaScript core considered part of the WebKit framework

Improve this question
1
  • @Sasauges: Please accept an answer. Commented Jul 23, 2015 at 10:42

4 Answers 4

Reset to default
5

Apple updated the policy which explicitly allows JavascriptCore to download and run javascript.

Here's the latest

3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

You may now choose freely wether to use UIWebView/WKWebView or JavascriptCore.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

JavaScriptCore believes itself to be part of the WebKit framework per the domain hosting its documentation and is named as part of WebKit by Wikipedia. JavaScriptCore.framework is a separate file on disk but there is no WebKit.framework. One of the files in that framework is named 'WebKitAvailability.h' and defines preprocessor macros like WEBKIT_VERSION_4_0 and a bunch of things that WebKit uses to mark functions as available only in certain versions, indicating that the header is used to signify WebKit availability rather than to test for it.

So on the balance of probabilities I'd argue that JavaScriptCore is part of the WebKit framework.

Improve this answer

1 Comment

Goin to have to disagree. The JavascriptCore Framework documentation is pretty emphatic about it's functional separation from Webkit and Webviews. It's a point of contention those who want to use the framework to work with Webviews.
2

Is JavaScript core considered part of the WebKit framework

There are two implementations of JavascriptCore. One is embedded in Webkit and runs only via a Webview. The second is in the JavascriptCore.framework and runs indepently of Webkit and can communication with every object in an app except a Webview.

It's clearly a security firewall. It would be madness to set up a system in which arbitrary Javascript executing in a webpage could directly program the app itself. Microsoft made a mistake pretty close to that circa 2000 IIRC. There was also around that time a little Applescript that would let you trigger Applescripts via Javascript on a webpage. It was intended for server admins to make remote admin pages but it blew open the security entirely. One, wrong line in any of the scripts and a black hat owned your machine.

I think the key phrase in the license is:

An Application may not download or install executable code...[emp added]

It's the possibility that the app can modify its function without user knowledge that causes the threat. However, if the user wants to manually direct an app to download a script and then run it in the JavascriptCore.framework, I don't think that would be a problem.

It's analogous to the app sandbox on the map. Apps are restricted by their entitlements in what files they reach automatically and without the user's knowledge. But, if the user manually uses Powerbox to choose files and locations, then the app can access any file the user choose. Likewise, if the user chooses to download and execute a script, separate from a Webview, then I doubt there is a problem.

I'd talk to Apple Developer Relations and get a direct answer before burning any time on a function that might get rejected. They're highly responsive in my experience.

Improve this answer

Comments

1

I don't know the answer but this is too long to put in the comments section.

I'm reading the Ray Wenderlich iOS7 by tutorials book and in there it says:

"Note there are two things you cannot use JavaScript for: downloading and executing JavaScript code from a remote server ….that is against the iOS Developer Program agreement section 3.3.2".

But as can be seen above section 3.3.2 says:

"The only exception to the foregoing is scripts and code downloaded and run by Apple's builtin WebKit framework".

Which suggests if you download JavaScript as part of a page loaded by and executed by UIWebView then it is permitted. So seems to be in contradiction to the Ray Wenderlich quote, or is it. That's probably just the author's opinion, I doubt if anybody knows definitively what the exact situation is here regarding Javascript and if there's any difference between using UIWebView and JavaScriptCore.

Now if JavaScriptCore is considered part of WebKit how does the precise wording of the phrase from 3.3.2 "scripts and code downloaded and run by" come into play.

Is it the downloaded part, or the run by part, or both the downloaded and run by part. Or the wording is irrelevant because Apple make things as vague as they can seemingly on purpose.

But how would Apple ever know that your app downloaded javascript? If your app downloads content for display in a UIWebVIew how would they know its not just downloading plain old html. They can't know. So if Javascript can't be downloaded and executed then in order to enforce that Apple would have to say they are banning apps the BOTH download stuff, any stuff, AND use a UIWebView. Otherwise how could they possible enforce a ban?

Its all crazy.

Improve this answer

2 Comments

I think this has hit the nail on the head - how can Apple know if your app is downloading and executing Javascript without very very closely examining the source code (knowing which APIs are being used wouldn't be sufficient). You could have an app which downloads pdf files and then uses a UIWebView to display them. Something which is all totally fine. How would Apple know if your app changed from downloading pdfs to downloading and running Javascript?
"How would Apple know if your app changed from downloading pdfs to downloading and running Javascript?" They wouldn't, but they would know if your app was calling stringByEvaluatingJavaScriptFromString for example and might say "Why are you using stringByEvaluatingJavaScriptFromString just to display pdfs, seems suspicious to us. Rejected" Couldn't they?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.