CORS error for application running from file:// scheme
There are two ways for CORS headers to signal that a cross-domain XHR should be allowed:
- sending
Access-Control-Allow-Origin: *
(allow all hosts) - put the host you would like to allow into the
Origin
header by your backend
As for the file://
URLs they will produce a null Origin
which can't be authorized via the second option (echo-back).
As mentioned:
Cross-domain policy does not apply to PhoneGap (for a variety of reasons, basically because your app is essentially running off the file:// URI on-device).
Please be aware that you will have to set up a whitelist for your apps to access these external domains.
As for the Chrome problem, which can be seen in the developer's console:
Failed to load resource: net::ERR_FILE_NOT_FOUND file:///C:/2.html
XMLHttpRequest cannot load file:///C:/2.html. Received an invalid response. Origin 'null' is therefore not allowed access.
there was a discussion on Chromium project's issue tracker, #40787. They mark the issues as won't fix as that behaviour is happening by design.
There is a workaround proposed to simply switch off CORS in Chrome for development purposes, starting chrome with --allow-file-access-from-files --disable-web-security
e.g. for Windows
`C:\Users\YOUR_USER\AppData\Local\Google\Chrome\Application\chrome.exe --allow-file-access-from-files --disable-web-security`
Here is some more cordova related answer:
- CORS and phonegap apps
- Domain whitelisting in Apache Cordova - a security model that controls access to outside domains.
Check these resources for more info on CORS:
- Cross-Origin resource sharing and file://
- A nice CORS tutorial: http://www.html5rocks.com/en/tutorials/cors/
- Working around origin policy
- HTTP access control (CORS) (Mozilla)
Check also Browser support for CORS:
And for the record formal CORS specification on W3C :)