Re: [sysapps/runtime] cross origin XHR in packaged apps from SULLIVAN, BRYAN L on 2013-03-27 (public-sysapps@w3.org from March 2013)

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Wed, 27 Mar 2013 10:42:52 +0000
To: "ming79.jin@samsung.com" <ming79.jin@samsung.com>, "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <000f429c.019dfd1e5821dc64@att.com<bs3131@att.com>>

I think CORS should work as is, since the origin header will be set correctly by the web runtime (browser or native web engine) and the resource (network based or local server) can choose to honor the request or not.



For a browser based app the origin would never be based on the app: scheme.



Thanks,

Bryan Sullivan





------ Original message------

From: Ming Jin

Date: Wed, 3/27/2013 3:52 AM

To: public-sysapps@w3.org;

Subject:[sysapps/runtime] cross origin XHR in packaged apps



Hi SysApps,

I'd like to discuss about supporting cross-origin XHR in packaged apps.

*Problem statement*
In current runtime proposal, local resources in a packaged app have "app://"
based origin, and every XHR request to http/https url will initiate a cross
origin XHR. Since most of the servers are not aware of "app://" origin and
even not CORS-enabled, the XHR will simply fail due to same-origin policy.

*Existing approaches*
Firefox OS provides a modified XHR API (new XMLHttpRequest({mozSystem:
true});) to relax same-origin restrictions [1], and Chrome allows Extensions
to specify origin white-listing to by-pass CORS checking [2].

*Analysis*
In general, it'll be better to reuse existing XHR without modification, and
also better to provide the cross-origin XHR functionality to as many apps as
possible (i.e., not only restricted to "certified" apps).

Adding a manifest entry (e.g., "allow-origin") to white-list the origins
seems to be a better approach, but the manifest entry should not be
applicable to hosted apps (otherwise it defeats the purpose of CORS). Since
the "app://" origin only makes sense locally to the device, by-passing CORS
checking for local resources also makes sense.

*Proposed change*
Introduce a new manifest entry (e.g., "allow-origin"), and put additional
description on that to indicate that it's only applicable to local resources
of packaged apps.

So what's your opinion?

Thanks,
Ming Jin

[1] https://groups.google.com/forum/#!topic/mozilla.dev.gaia/sc-G5prl7D8
[2] https://developer.chrome.com/extensions/xhr.html

Received on Wednesday, 27 March 2013 10:43:43 UTC