- From: SULLIVAN, BRYAN L <bs3131@att.com>
- Date: Thu, 28 Mar 2013 17:25:21 +0000
- To: Ming Jin <ming.jin.web@gmail.com>
- CC: "public-sysapps@w3.org" <public-sysapps@w3.org>
- Message-ID: <59A39E87EA9F964A836299497B686C3510A4F435@WABOTH9MSGUSR8D.ITServices.sbc.com>
Second is that, unlike hosted apps which can at least make XHR calls to the same origin, every XHR call in a packaged app is cross-origin (i.e., no same-origin XHR at all). This means that if we allow CORS as is for packaged apps, there'll be no way to do any XHR call from a packaged app. <bryan> I don't understand your point. XHR2 supports CORS, and is the defacto standard now. So cross-origin XHR works fine. You are right that we have XHR2 for CORS. That was my mistake writing too fast. What I wanted to say was that, if we solely rely on CORS mechanism in packaged apps to do XHR, then in short-term period it'll be very difficult for us to use XHR in packaged apps (since same-origin XHR is not available for packaged apps, and majority servers are not CORS-enabled, and even CORS-enabled servers may not know app:// origin), while hosted apps can at least make XHR call to its same-origin server. <bryan> I understand there is a server-side component to CORS, and that it will take time for services to implement it (it's really very easy to do). Services that offer XHR-accessible APIs/resources (and that expect apps to retrieve those resources using XHR) should be the first to implement CORS. If needed, I would also recommend as a supplemental approach that something ala (or exactly) like WARP should be supported by the UA. The problem with relying solely on WARP is that except for signed/trusted apps, you will expect the user to be aware of and approve app access to those resources - something most users will just hit the "ok, whatever" button in response to.
Received on Thursday, 28 March 2013 17:26:15 UTC