HTML5 apps created using a third party backend run into same-origin restrictions. Browsers have historically implemented these restrictions to increase security by disallowing connections to potentially malicious external websites. In the backend-as-a-service model, the app and the backend are hosted on two different domains. Even though the domains trust each other, the browser’s same-origin policy implementation is still triggered.
One way developers get around the problem is by creating a simple proxy on the app hosting domain, which forwards requests to the backend domain. This is not a great solution as the app hosting then has to worry about a different request volume and pattern that may not be their specialty. It also makes debugging a production issues much harder. A better approach is to use JSONP, however, this makes the application code more clunky and confusing.
Luckily, WebKit-based browsers like Mobile Safari and the Android browser have support for W3C’s Cross-Origin Resource Sharing specification, making it possible for the app to cleanly make requests against third party domains without any additional logic necessary in the client app. What is important in this case, however, is for the backend server to properly handle CORS request headers and send the right responses.
Over the winter holidays we at Kinvey added CORS support to our API. Here are the main points to keep in mind.
read more ...