Re: [sysapps/runtime] cross origin XHR in packaged apps from Ming Jin on 2013-03-28 (public-sysapps@w3.org from March 2013)

From: Ming Jin <ming.jin.web@gmail.com>
Date: Fri, 29 Mar 2013 01:44:09 +0900
To: "SULLIVAN, BRYAN L" <bs3131@att.com>
Cc: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <CAHNuU=uk460Z3JDE1v+FtgmBAAGzmpr6nBy=7-S01tUosGf=pA@mail.gmail.com>

2013/3/29 SULLIVAN, BRYAN L <bs3131@att.com>

>  Comments inline.****
>
> ** **
>
> *From:* Ming Jin [mailto:ming.jin.web@gmail.com]
> *Sent:* Thursday, March 28, 2013 8:35 AM
> *To:* SULLIVAN, BRYAN L
> *Cc:* public-sysapps@w3.org
> *Subject:* Re: [sysapps/runtime] cross origin XHR in packaged apps****
>
> ** **
>
> ** **
>
> 2013/3/27 SULLIVAN, BRYAN L <bs3131@att.com>****
>
> I think CORS should work as is, since the origin header will be set
> correctly by the web runtime (browser or native web engine) and the
> resource (network based or local server) can choose to honor the request or
> not.****
>
> ** **
>
> IMHO, compared to hosted apps (or browser-based apps, as you call it),
> there are a few things that packaged apps (local resources) are not quite
> appropriate for CORS. ****
>
> ** **
>
> First thing is the uniqueness of "app://" based origin. Unlike DNS that
> has a central authority (IANA) to ensure the uniqueness of an internet
> domain, there's no such authority for "app://<opaque_string>" origin. If we
> cannot ensure global uniqueness, by theory it's not reliable to implement
> access control logic based on "app://" origin on the server-side.****
>
> ** **
>
> <bryan> The UA (in this case the web runtime of the device) should ensure
> that the app origin is trusted, either as confirmed by the user or through
> digital signature applied to the app package. I agree that if the app
> origin is not trusted, then the UA should not allow it to make cross-origin
> requests.****
>
> ** **
>
> Second is that, unlike hosted apps which can at least make XHR calls to
> the same origin, every XHR call in a packaged app is cross-origin (i.e., no
> same-origin XHR at all). This means that if we allow CORS as is for
> packaged apps, there'll be no way to do any XHR call from a packaged app.*
> ***
>
> ** **
>
> <bryan> I don’t understand your point. XHR2 supports CORS, and is the
> defacto standard now. So cross-origin XHR works fine.
>

You are right that we have XHR2 for CORS. That was my mistake writing too
fast. What I wanted to say was that, if we solely rely on CORS mechanism in
packaged apps to do XHR, then in short-term period it'll be very difficult
for us to use XHR in packaged apps (since same-origin XHR is not available
for packaged apps, and majority servers are not CORS-enabled, and even
CORS-enabled servers may not know app:// origin), while hosted apps can at
least make XHR call to its same-origin server.

Received on Thursday, 28 March 2013 16:44:37 UTC