I'm currently working on a Cordova app written with AngularJS.
When I run the built APK on the android tablet or the iPad, the requests are sent with the "Origin" header set to "file://". This makes the server to reject the request for CORS reasons.
I've seen that the origin should be set to "null", not "file://" when Cordova sends the requests.
I'm actually using cordova-plugin-whitelist.
The communication between the app and the server is using SOAP protocol, and i'm using an external module in the frontend that sends the requests with XmlHttpRequest.
I don't wan't, for security reasons, to allow "file://" origin on server side. Is there any way to remove the origin from the requests ? I tried to manually set the Origin header of the XmlHttpRequest, but of course, it creates an error "Refused to set unsafe header "Origin"".
How could I make this work without impacting the security ?
Does something like a Cordova plugin that removes the "Origin" header from all the AJAX exists ?
Thanks
Related
I am using a rest api which has allowed CORS for localhost. When i use the web version of ionic application i get the responses from the server as expected. But when it comes the android emulator
it gives me the following error, My Api only allows either from localhost or from my domain. how to overcome this issue?
**Msg: Failed to load https://myapi.com/GetAllUsersList: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost, *', but only one is allowed. Origin 'http://localhost' is therefore not allowed access.**
Replying to my own question!!
we can change the url capacitor uses, which will change the origin. we can edit the capasitor.config.json with following properties
"server": {
"hostname": "mydomain.com", //in my case this is localhost
"androidScheme": "https"
}
Please use HTTTP plugin for your app check below link
https://ionicframework.com/docs/native/http
When I make web applications, I usually have to add these headers to Express to allow CORS requests.
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
next();
});
But with React Native mobile apps, I don't have to do that. Why is that so?
The point of CORS is to prevent web pages loaded at one domain making AJAX requests or HTTP requests that modify data to other domains. The way it works is web browsers are built to send pre-flight HTTP OPTIONs requests before any such cross-site requests, & the server will send back a message with the Access-Control-* headers designating its CORS policy, & the browser will proceed or abort the request based on what it's told it can do. Since a native app is not a web page loaded from any domain at all, CORS restrictions are not needed or applied, the app's HTTP functions never send an OPTIONS pre-flight, & the server serves the request without CORS ever entering into it. The same is true if you were to try these requests in Postman. Note, however, that if you were to use a hybrid mobile app (Cordova/Ionic/Phonegap, etc.), you would have to deal with CORS, since these apps run in the device's WebView, which is a type of browser & will send pre-flight OPTIONS requests.
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
We have a mobile app that calls endpoints on host https://www.currentdomain.com. we are migrating to https://www.newdomain.com in a month
The network team is planning to setup a dns redirect from currentdomain to newdomain.
What is the best possible way to handle this change in the app with minimal change and work? What will happen if the app calls the endpoint on currentdomain after setting up the dns redirect?
You can support redirection in your APIs.I am not sure how much is it possible at your end but if yes, then no changes will be required at app side.
Otherwise http redirection can be handled easily by apps, like in iOS 1 method needs to be added & can redirect request to the desired url.
https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/RequestChanges.html
Redirect handler in android
https://developer.android.com/reference/org/apache/http/client/RedirectHandler.html
I'm using sencha touch with cordova to create mobile app for android. In mobile browser its working fine. when i create android apk, first ajax request getting proper response with request header showing "Causion : Provisional headers are shown". but second ajax request didn't getting any reponse. showing empty response.
i searched last full week but still i didn't get any correct answer. From my search i got few points, these thinks only affect ajax request with server.
1) add "Access-Control-Allow-Origin : *" in headers or htaccess.
colud you any one tell what is the core point. any thing i missed ?
This issue regarding about chrome debugging ?
Application frameworks issue like Zend framework / Sencha Touch / Cordova app for android ?
need to add headers in ajax request or need to change ajax request to jonp ?
need to add headers in php server or .htaccess file ?
I have a local HTML file (e.g. file:///xxx.html) containing AJAX code to read and process contents of pages on remote hosts (that are not my own). On desktop, I do this by running a local web server that returns remote data (I use Nginx with proxy_pass on specific url patterns). For example, if I want to get data from http://example.com/, I use JQuery's ajax with http://localhost:9000/http://example.com/ as the URL.
How can I do this on (non-rooted) Android? Is there an Android web server that supports proxy_pass on specific url patterns? Or is there an Android app/browser that allows cross-domain AJAX requests from local HTML files? Or any other solutions?
By default from Any Android Browser starting from Android 2.1, it supports CORS (Cross-Origin Resource Sharing) feature. Check: http://caniuse.com/cors
In addition, The REST service also need to configure to allow cors from Server Side as well. For enabling at Server side set an attribute in Response:
Access-Control-Allow-Origin: *
For more refer: http://enable-cors.org/server.html