- From: Ming Jin <ming79.jin@samsung.com>
- Date: Wed, 27 Mar 2013 17:51:42 +0900
- To: public-sysapps@w3.org
Hi SysApps,
I'd like to discuss about supporting cross-origin XHR in packaged apps.
*Problem statement*
In current runtime proposal, local resources in a packaged app have "app://"
based origin, and every XHR request to http/https url will initiate a cross
origin XHR. Since most of the servers are not aware of "app://" origin and
even not CORS-enabled, the XHR will simply fail due to same-origin policy.
*Existing approaches*
Firefox OS provides a modified XHR API (new XMLHttpRequest({mozSystem:
true});) to relax same-origin restrictions [1], and Chrome allows Extensions
to specify origin white-listing to by-pass CORS checking [2].
*Analysis*
In general, it'll be better to reuse existing XHR without modification, and
also better to provide the cross-origin XHR functionality to as many apps as
possible (i.e., not only restricted to "certified" apps).
Adding a manifest entry (e.g., "allow-origin") to white-list the origins
seems to be a better approach, but the manifest entry should not be
applicable to hosted apps (otherwise it defeats the purpose of CORS). Since
the "app://" origin only makes sense locally to the device, by-passing CORS
checking for local resources also makes sense.
*Proposed change*
Introduce a new manifest entry (e.g., "allow-origin"), and put additional
description on that to indicate that it's only applicable to local resources
of packaged apps.
So what's your opinion?
Thanks,
Ming Jin
[1] https://groups.google.com/forum/#!topic/mozilla.dev.gaia/sc-G5prl7D8
[2] https://developer.chrome.com/extensions/xhr.html
Received on Wednesday, 27 March 2013 08:52:16 UTC