Re: [Crosswalk-dev] Intent to implement - Support "xwalk_hosts" field in manifest.json to allow Cross-Origin Access for Android.

Mon, 07 Apr 2014 19:13:24 -0700 

Chun,
Thanks for implementing this. Lgtm. It’s a good solution compared to adding a 
flag for ‘allow-universal-access-from-file-urls’.

Yongsheng

From: Kenneth Rohde Christiansen [mailto:kenneth.christian...@gmail.com]
Sent: Thursday, April 03, 2014 11:48 PM
To: Gao, Chun
Cc: Kostiainen, Anssi; crosswalk-dev@lists.crosswalk-project.org; Zhu, Yongsheng
Subject: Re: Intent to implement - Support "xwalk_hosts" field in manifest.json 
to allow Cross-Origin Access for Android.

LGTM

On Thu, Apr 3, 2014 at 5:06 PM, Gao, Chun 
<chun....@intel.com<mailto:chun....@intel.com>> wrote:

Summary:

The Cross-Origin XHR is required by customers. The customer want his app to get 
data from 3rd party server. He want Cross-Origin XHR can work like Chrome Apps.

But on Crosswalk, the XHR request will be cancelled once the HTTP response 
header from server don't has a Access-Control-Allow-Origin filed, or the value 
of Access-Control-Allow-Origin doesn't match the current domain.



According to W3C spec http://www.w3.org/TR/CSP11/ & http://www.w3.org/TR/cors/ 
, there are 2-stage permission checks during XHR:

1. CSP check.

2. Access-Control-Allow-Origin check.



To allow Cross-Origin XHR, Access-Control-Allow-Origin check should be skipped 
for URLs in the "xwalk_hosts" field of manifest.json, which is a 
Crosswalk-specific extension of Manifest spec.



Spec:

- Use "xwalk_hosts" rather than “permissions” as the name of the Manifest 
member to align with Chrome Apps' Manifest v3 
https://docs.google.com/document/d/1dgkxhdKvGQD2DeJ_3NLLBAb6OZ0F_u9F6J4qL2UGX7M/
 .

- Obey the Manifest spec extension conventions 
http://manifest.sysapps.org/#proprietary-extensions .



Affected component:

N/A



Related feature in Jira:

https://crosswalk-project.org/jira/browse/XWALK-1353



Target Release:

Crosswalk-5



Target Platform:

Android



Implementation details:

1.       Parse manifest and get the URL match pattern list.

2.       Send the list to renderer with IPC, and set it to WebKit 
WebSecurityPolicy.



Remarks:

Discussions about this can be found at the last several comments of 
https://github.com/crosswalk-project/crosswalk/pull/1739/files#r11199760



Best Regards,

Gao Chun




--
Kenneth Rohde Christiansen
Web Platform Architect, Intel Corporation.
Phone  +45 4294 9458 ﹆﹆﹆

_______________________________________________
Crosswalk-dev mailing list
Crosswalk-dev@lists.crosswalk-project.org
https://lists.crosswalk-project.org/mailman/listinfo/crosswalk-dev

Reply via email to