Same origin policy and CORS : how to handle it with "W3C" webapps

fabbox · June 7, 2016, 8:23pm

Hi everyone,

I’m starting to check migration of previous FxOS packaged apps to the new webapps definition and I’m facing an issue with the “same origin policy”.
Let’s say that I want to migrate an RSS reader apps. In FxOS, it was a packaged apps because it need to be review which allowing us to use the “systemXHR” in the manifest and thus fetching all rss feeds directly from rss content providers (lot of website which I don’t own) to the phone. With the “new” webapps, I’ve found no other way than proxying all rss feed by the webapp hosting server (or hosting a tinytinyrss like server).
The most useful documents related to this issue that I’ve found are:
https://www.w3.org/TR/appmanifest/
https://html.spec.whatwg.org/#same-origin

My idea will be to be able to provide apps that just sync their codes with the webapp hosting server but not force him to take all the traffic. Did someone know if it is possible without being a system app in B2G and could told me what I’ve missed here ?

Thanks in advance.

fabrice · June 7, 2016, 8:51pm

You are right that in a standard web app you can’t get cross-origin access like with systemXHR. Either the remote server needs to support CORS (and really they should set that up for RSS/Atom endpoints) or you’ll have to proxy the traffic (and cache it).

mkohler · June 8, 2016, 2:04am

To be honest, I don’t think that there is another way than getting people to set CORS headers on that content. In the end this is exactly what cross origin policies were set for. If RSS/Atom doesn’t deserve ‘*’, then what else would?

The question here would be, how could we get people to set it since it’s not enabled by default? (which is good in general, but not for RSS or atom).

Would it make sense to ignore CORS on those mime types by default since they’re thought to be shared anyway?

fabbox · June 8, 2016, 9:12pm

Thanks for your response. I’ve check few forum about the common question of “what is the mime type of rss/atom feed” and, even if the “good” answer seems to be “text/rss+xml”, it appears that a large number of rss feed provide only “text/xml” (e.g. https://stackoverflow.com/questions/595616/what-is-the-correct-mime-type-to-use-for-an-rss-feed#595622).
Reading a little bit about CORS, it seems that it was defined especially for “xml content” (that’s what I understood after having quickly read the wikipedia page about CORS history https://en.wikipedia.org/wiki/Cross-origin_resource_sharing and this page https://www.w3.org/TR/2006/WD-access-control-20060517/).
Thus making an “exception” for rss mime type may not be as easy/direct as I thought when I read your answer. I need to find how firefox (the desktop browser) do to “snif” feeds on a page (those in the bookmarks menu).

I’m a little bit disappointed to not find more info on that. I know that “rss” is probably old school now but getting feeds without the need of an other account with an other password requiring a server for proxying/caching feed. Well, I will try to construct proper CORS request to check again if “modern” website running popular CMS have the correct header response.

Once again thanks for your answer.

sizvix · June 9, 2016, 9:52am

¿? So, we can’t make an app that get informations on pages if those pages don’t enabled CORS “*” ? :-/
How to make a custom web browser app ?
Or an app which is a mozaic of many actualized parts of pages ? if I want to take parts of some sites that don’t enabled it …
( it’s anoying to use a personal server to add it :-/ … )