incubator-callback-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jochen Magnus (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CB-1406) HTTP-Get via XHR in Web Workers always return status 0 under iOS 6 (Beta 4)
Date Sat, 29 Sep 2012 12:14:07 GMT

    [ https://issues.apache.org/jira/browse/CB-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13466193#comment-13466193
] 

Jochen Magnus edited comment on CB-1406 at 9/29/12 11:13 PM:
-------------------------------------------------------------

I made some further tests and found that the problem with XHR requests in webworkers in a
native app is caused by the Same Origin Policy (SOP). This only happens with iOS 6 not with
iOS 5. 

With the remote debugger which is newly available in Safari 6 for iOS 6 apps the console shows:
"XMLHttpRequest cannot load http://live.rhein-zeitung.de/test.txt. Origin file:// is not allowed
by Access-Control-Allow-Origin."

I enhanced my test case so it could now load alternatively by XHR in the main applications
thread or by XHR via webworker. No problem occurs in the first case, but the SOP security
issue happens in the second case, because there is "Origin" HTTP header field witch contains
"file://" (in the first case, there seems to be no such header field).

A workaround is to allow Cross Domain Scripting in the webservers config (for Apache webserver
add "Header add Access-Control-Allow-Origin file://" to the config), but this may be a security
problem. I tested it, but I am unsure about the security issue when allowing 'file://' or
asterisk.
 So I would prefer a "real" solution.
                
      was (Author: ioma):
    I made some further tests and found that the problem with XHR requests in webworkers in
a native app is caused by the Same Origin Policy (SOP). This only happens with iOS 6 not with
iOS 5. 

With the remote debugger which is newly available in Safari 6 for iOS 6 apps the console shows:
"XMLHttpRequest cannot load http://live.rhein-zeitung.de/test.txt. Origin file:// is not allowed
by Access-Control-Allow-Origin."

I enhanced my test case so it could now load alternatively by XHR in the main applications
thread or by XHR via webworker. No problem occurs in the first case, but the SOP security
issue happens in the second case, because there is "Origin" HTTP header field witch contains
"file://" (in the first case, there seems to be no such header field).

A workaround is to allow Cross Domain Scripting in the webservers config (for Apache webserver
add "Header add Access-Control-Allow-Origin *" to the config), but this may be a security
problem. I tested it, but I am unsure about the security issue when allowing '*' or 'file://'.
 So I would prefer a "real" solution.

                  
> HTTP-Get via XHR in Web Workers always return status 0 under iOS 6 (Beta 4)
> ---------------------------------------------------------------------------
>
>                 Key: CB-1406
>                 URL: https://issues.apache.org/jira/browse/CB-1406
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: iOS
>    Affects Versions: 2.1.0
>         Environment: all iOS devices and simulators
>            Reporter: Jochen Magnus
>            Assignee: Michal Mocny
>              Labels: HTTP, WebWorker, XHR
>             Fix For: 2.2.0
>
>         Attachments: testworker.js, workertest2.tar.bz2, workertest.html, xhr_tests.png
>
>
> HTTPRequests in the Web Workers ending always with http.readyState==4  (that's the ready
state) but with http.status==0, which is an undefined status (normal is 200 for "o.k."). The
file is requested from and fully deliverd by the webserver. 
> This happens under iOS 6 Beta 4 but not under iOS 5.x where the same app with the same
Cordova version works well.
> The problem did not occur with XHR in the native programs main thread nor in non-native
HTML5-apps (WebApps without the use of Cordova). 
> A Xcode test project is available. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message