Summary: The Cross-Origin XHR is required by customers. The customer want his app to get data from 3rd party server. He want Cross-Origin XHR can work like Chrome Apps.
But on Crosswalk, the XHR request will be cancelled once the HTTP response header from server don't has a Access-Control-Allow-Origin filed, or the value of Access-Control-Allow-Origin doesn't match the current domain. According to W3C spec http://www.w3.org/TR/CSP11/ & http://www.w3.org/TR/cors/ , there are 2-stage permission checks during XHR: 1. CSP check. 2. Access-Control-Allow-Origin check. To allow Cross-Origin XHR, Access-Control-Allow-Origin check should be skipped for URLs in the "xwalk_hosts" field of manifest.json, which is a Crosswalk-specific extension of Manifest spec. Spec: - Use "xwalk_hosts" rather than "permissions" as the name of the Manifest member to align with Chrome Apps' Manifest v3 https://docs.google.com/document/d/1dgkxhdKvGQD2DeJ_3NLLBAb6OZ0F_u9F6J4qL2UGX7M/ . - Obey the Manifest spec extension conventions http://manifest.sysapps.org/#proprietary-extensions . Affected component: N/A Related feature in Jira: https://crosswalk-project.org/jira/browse/XWALK-1353 <https://crosswalk-project.org/jira/browse/XWALK-692> Target Release: Crosswalk-5 Target Platform: Android Implementation details: 1. Parse manifest and get the URL match pattern list. 2. Send the list to renderer with IPC, and set it to WebKit WebSecurityPolicy. Remarks: Discussions about this can be found at the last several comments of https://github.com/crosswalk-project/crosswalk/pull/1739/files#r11199760 Best Regards, Gao Chun
_______________________________________________ Crosswalk-dev mailing list Crosswalk-dev@lists.crosswalk-project.org https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-dev
