CORS cookie credentials from mobile WebView loaded locally with file://

Question

Bear with me, this one needs a bit of explanation.

I am helping to build a hybrid mobile web app. The main codebase is HTML5 and JavaScript, which will be wrapped in

Answer 1

My suggestion is set ACCESS-CONTROL-ALLOW-ORIGIN to null on server side

Yes, This question bothers me for a little bit.

Regarding to CORS spec, null can cater the situation where a CORS request from a file:// scheme

And a pratical recommendation on that spec is to set it as origin-list-or-null, which is either a list of space-separated origins or simply "null" (by the way, the string %x6E %x75 %x6C %x6C from the definition for origin-list-or-null is literally null hex- encoded)

Finally you will ask, wont that equal to * if we set ACCESS-CONTROL-ALLOW-ORIGIN to null since every request from scheme file:// is valid (which means every hybrid app can access your endpoint if it knows about your uri)?

Well, given Access-Control-Allow-Credentials: true, I believe you've got a whole auth mechanism working on the server. It should have filtered those requests without the correct auth

Hope it will help