CORS for file-based web apps from William Edney on 2009-04-05 (public-webapps@w3.org from April to June 2009)

From: William Edney <bedney@technicalpursuit.com>
Date: Sun, 5 Apr 2009 14:36:14 -0500
To: public-webapps@w3.org
Message-Id: <6EEE2785-571E-4956-9C51-952D8F896F43@technicalpursuit.com>

Folks -

First, my apologies if this topic has been discussed before. If so,  
just point me to the relevant part of the spec or discussion and I'll  
go away :-). I also apologize if this is the wrong group for this  
question. If so, point me to the correct one. I haven't been able to  
find any information on my question in either the spec or in multiple  
web searches.

In our customer base, we're increasingly seeing the following  
scenario. By way of introduction, I need to impart that these folks  
are looking to use a web browser, with its attendant well-known  
technologies, as a replacement for writing apps in tools such as VB or  
Delphi. In other words, to them, a web app might or might not have  
anything to do with loading the app from an HTTP server - to them a  
'web app' is one authored with the technologies a browser innately  
understands - JS, CSS, HTML, XML.

So, the scenario is a user who has a full copy of their app as a set  
of pages / JavaScript on their hard drive. They launch their app by  
double-clicking on an 'index.html' from the file system and the app  
runs. The app has now been loaded from a 'file://' URL.

The user would then like to access data from an http:// URL. This is  
currently possible from both Mozilla/Firefox and IE, via proprietary  
mechanisms that allow 'cross-domain' access (i.e. in this case from a  
'file://' "domain" to an 'http://' domain). It is understood and  
accepted by the user base that they may see a security prompt in this  
scenario.

So, the question is how CORS might work in such a scenario. For the  
Webkit/Safari/Chrome class of browsers, there is currently no  
equivalent proprietary 'cross-domain' functionality, thus hampering  
our ability to deploy to these browsers.

I've tried a few of the CORS examples out there, and they all fail in  
this scenario (load the page containing the JS code from the 'file://'  
system and try to access the test server).

Any thoughts or assistance here would be greatly appreciated!

Cheers,

- Bill

Received on Sunday, 5 April 2009 19:36:57 UTC