fmayrand (1) [Avatar] Offline
#1
Hi Monsur,

I just bought your book hoping to find some insight on how to get around some CORS limitations for IE 10.

Here is my situation. I am developing a hybrid mobile app: AngularJS web app running in a Windows web browser control (IE 10) and in an Android WebView.

The Android WebView has no problems running the Angular web app but IE is giving me CORS errors. To work around this I have to package a web server in the Windows app while the Android app is perfectly happy working with local file access (file:///).

I know CEF (Chromium) supports the "allow-file-access-from-files" flag to override the browser security but using CEF is not an option for me at this point.

I would like to see some information in the book regarding CORS and how it relates to mobile web apps. I would like to understand the security implications and the best way to use local files. I find it sub-optimal to be forced to package a web server to serve local files (slower load time, maintenance burden: one more part that can break and has already caused problems...).

Regards,
Fran├žois
monsur.hossain (22) [Avatar] Offline
#2
Re: Mobile web app
Hi Fran├žois. Chapter 7 covers various techniques for debugging CORS requests. It will be availble on MEAP soon. That chapter might be able to help with your issue.

While I don't have details on your specific setup, I will say that debugging CORS requests comes down to isolating the request and the response headers, and seeing where there is a mismatch. Can you use a tool like Fiddler or Charles to capture the HTTP headers, or can you use test-cors.org to view the HTTP headers?

I would also recommend asking on Stack Overflow (tagging the post with "cors"). You may have better luck there.

Thanks!
Monsur
353426 (1) [Avatar] Offline
#3
Hi Monsur,

I've found your answer about CORS for hybrid app with file:// protocol on this link http://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols#comment-33591614. By setting it to null will cater the situation from hybrid app.

However, I was wondering won't that equal to
Access-Control-Allow-Origin:*
if any other hybrid app developer knows about my endpoint uri and issues CORS requests from his hybrid app which I think break the benefit from Access-Control-Allow-Origin

I still want to restrict access control on requests from my hybrid app ONLY instead of requests from other hybrid apps

How to resolve this kind of CORS situation elegantly? I've been googling around and get nowhere, please help me out