Ahmed-Abdelftah commented on issue #1354: URL: https://github.com/apache/cordova-android/issues/1354#issuecomment-1151307468
> #### Some background knowledge... > `Content-Security-Policy` is a different security mechanism than CORS (Cross-Origin Resource Sharing). > > In cordova-android@10, we implemented something called a WebAssetLoader, which proxies requests through `https://localhost` protocol. The WebAssetLoader kind of acts like a private web server only accessible to your app. This was done because some web view features requires you to be on a "secure context" (e.g `https`) for the features to be enabled. In doing so, it does enable the CORS enforcement. > > Cordova android 9.x uses the plain old file system (`file://`) which didn't enforced CORs. This is why you see the XHR request work in 9.x, but not in 10.x. You can make 10.x behave like 9.x by enabling the `AndroidInsecureFileModeEnabled` preference: > > `<preference name="AndroidInsecureFileModeEnabled" value="true" />` > > #### But let's assume you don't want to use this workaround > [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) is a security mechanism for CORS-enabled browsers that are controlled by the backend server. So in this case, `https://google.com` must provide the required response headers for the browser to accept the request response. They do not provide the `Access-Control-Allow-Origin: https://localhost` or `Access-Control-Allow-Origin: *` response header, therefore the request is rejected by the browser / webview. > > There is no API available in the webview to disable CORS. Assuming you don't have access to `https://google.com` to make the appropriate backend change, the only workaround at this point is to not use the browser's request mechanism (neither `fetch()` or `XMLHttpRequest`) and instead find/build a cordova plugin that does a native request, which is not bounded by CORS. > > Another approach is to configure a proxy server that is configured to use the CORS protocol in which your app can make request to, which will be redirected to `https://google.com`, then you can relay the response back to the client. This approach will still allow you to use the browser's HTTP request APIs. > > Now that we got all that information out there... May I ask more details on your use case? This maybe the most detailed answers I have ever read , thank you! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
