We were trying to create a mobile HTML5 web app. We call a service hosted in domain xyz.com using javascript and we run into the same-domain origin policy issue. We have to use CORS to make the cross domain requests. But if I make the same request using a native iOS app, it works fine even without the access-control headers that are needed for CORS. This may seem like a noob question, but why does same origin policy only apply when making calls using javascript for web apps and not for native apps?
It's completely arbitrary to be honest but there is some thought behind the policy. In Javascript land you are much less in direct control of what's being executed and from where.. take a look at this page alone and you'll see several different server sources.. and so the same origin policy was implemented in order to minimise the risk of running arbitrary, untrusted code from third parties within your browser.
In native land you have more control and must actively choose to instantiate a JS context and run whatever you've received.. so it seems reasonable to suspend the same origin requirement in that case.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With