Windows 8 Security and Dynamic Code

Recently while working on bringing Apache Cordova to Windows 8 I came across an issue with dynamic content.  The Apache Cordova mobile-spec project, which defines all of our tests,  has some tricks for loading a configurable cordova-js file without having to modify every html page.  It seems the security model does not like to script tags written at runtime with document.write ( a poor practice anyway ) Here is the original source with the issue :

var cordovaPath = scripts[scripts.length - 1].src.replace('cordova.js', 'cordova.windows8.js');
document.write('<script type="text/javascript" charset="utf-8" src="' + cordovaPath + '"></script>');

Here is the error message, with a helpful link to the docs :

Unable to add dynamic content. A script attempted to inject dynamic content, or elements previously modified dynamically, that might be unsafe. For example, using the innerHTML property to add script or malformed HTML will generate this exception. Use the toStaticHTML method to filter dynamic content, or explicitly create elements and attributes with a method such as createElement. For more information, see

In order to dynamically load a script, I had to change to use the DOM APIs, here is the updated working source :

for (var n = 0; n < scripts.length; n++) {
    if (scripts[n].src.indexOf('cordova.js') > -1) {
        var cordovaPath = scripts[n].src.replace('cordova.js', 'cordova.windows8.js');
        var scriptElem = document.createElement("script");
        scriptElem.src = cordovaPath;