admin管理员组文章数量:1384295
I've just started using Apache Cordova. I have an library that makes calls (via ajax) to a soap server.
When I run these on my local machine in chrome, I get cross site scripting errors when trying to make calls to the service.
When I run the same exact code using the Cordova browser in the iOS emulator, the scripts seem to hit the server fine and the response data is received properly.
So my question is how is the Cordova browser able to make these requests without cross-site scripting permissions & JSONP ? One thing I noticed is that when the request is sent from iOS, there is no "Origin" header. Is this allowing the Cordova browser to stealthily circumvent cross-site scripting requirements? Is it possible that the node.js server on the device (I believe this is how Cordova works) is manipulating the headers to allow this?
I'd like to avoid enabling cross-site scripting on my site so I think this "feature" is nice, but I'm wondering if it's a security hole as well.
Anyone have experience with this?
I've just started using Apache Cordova. I have an library that makes calls (via ajax) to a soap server.
When I run these on my local machine in chrome, I get cross site scripting errors when trying to make calls to the service.
When I run the same exact code using the Cordova browser in the iOS emulator, the scripts seem to hit the server fine and the response data is received properly.
So my question is how is the Cordova browser able to make these requests without cross-site scripting permissions & JSONP ? One thing I noticed is that when the request is sent from iOS, there is no "Origin" header. Is this allowing the Cordova browser to stealthily circumvent cross-site scripting requirements? Is it possible that the node.js server on the device (I believe this is how Cordova works) is manipulating the headers to allow this?
I'd like to avoid enabling cross-site scripting on my site so I think this "feature" is nice, but I'm wondering if it's a security hole as well.
Anyone have experience with this?
Share Improve this question edited Nov 1, 2013 at 19:09 DEX asked Oct 24, 2013 at 21:50 DEXDEX 377 bronze badges1 Answer
Reset to default 10By default, Phonegap allows cross domain requests. You can restrict this using domain whitelisting if you're worried about security. If you're using jQuery, set $.support.cors = true; to allow cross domain requests.
This page has a breakdown of cross site scripting security in Phonegap.
By the way, there's a neat trick you can use with Google Chrome to allow cross site scripting and therefore test your Phonegap app in the Ripple emulator, for example: set the mand line parameter --disable-web-security in the shortcut to Chrome, e.g.
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security
本文标签: javascriptApache Cordova (Phonegap) is jsonp needed for crosssite scriptingStack Overflow
版权声明:本文标题:javascript - Apache Cordova (Phonegap): is jsonp needed for cross-site scripting? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744457101a2607050.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论