RE: [sysapps/runtime] cross origin XHR in packaged apps from Nilsson, Claes1 on 2013-03-29 (public-sysapps@w3.org from March 2013)

From: Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com>
Date: Fri, 29 Mar 2013 09:39:51 +0100
To: "'SULLIVAN, BRYAN L'" <bs3131@att.com>, Ming Jin <ming.jin.web@gmail.com>
CC: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA3C596268194@seldmbx03.corpusers.net>

Just an additional note.

With the raw socket API it will be possible to implement service discovery in local network using UPnP and mDNS. To be able to communicate with dynamically discovered devices unrestricted xhr is needed. CORS is not applicable in this case and we need something like the Chrome app manifest permission statement:

  "permissions": [
    "http://*/"
  ]

Best regards
  Claes

From: SULLIVAN, BRYAN L [mailto:bs3131@att.com]
Sent: den 28 mars 2013 18:25
To: Ming Jin
Cc: public-sysapps@w3.org
Subject: RE: [sysapps/runtime] cross origin XHR in packaged apps

Second is that, unlike hosted apps which can at least make XHR calls to the same origin, every XHR call in a packaged app is cross-origin (i.e., no same-origin XHR at all). This means that if we allow CORS as is for packaged apps, there'll be no way to do any XHR call from a packaged app.
<bryan> I don't understand your point. XHR2 supports CORS, and is the defacto standard now. So cross-origin XHR works fine.
You are right that we have XHR2 for CORS. That was my mistake writing too fast. What I wanted to say was that, if we solely rely on CORS mechanism in packaged apps to do XHR, then in short-term period it'll be very difficult for us to use XHR in packaged apps (since same-origin XHR is not available for packaged apps, and majority servers are not CORS-enabled, and even CORS-enabled servers may not know app:// origin), while hosted apps can at least make XHR call to its same-origin server.

<bryan> I understand there is a server-side component to CORS, and that it will take time for services to implement it (it's really very easy to do). Services that offer XHR-accessible APIs/resources (and that expect apps to retrieve those resources using XHR) should be the first to implement CORS. If needed, I would also recommend as a supplemental approach that something ala (or exactly) like WARP should be supported by the UA. The problem with relying solely on WARP is that except for signed/trusted apps, you will expect the user to be aware of and approve app access to those resources - something most users will just hit the "ok, whatever" button in response to.

Received on Friday, 29 March 2013 08:40:21 UTC