Same origin policy on mobile apps with HTML

The same-origin policy is a critical web security concept that restricts how a document or script from one origin can interact with resources from another origin. However, when developing mobile applications using HTML, CSS, and JavaScript through frameworks like PhoneGap (Apache Cordova), the same-origin policy behaves differently than in traditional web browsers.

Same-Origin Policy in Web Browsers vs Mobile Apps

In web browsers, the same-origin policy prevents scripts from accessing content from different domains, protocols, or ports. However, in mobile apps built with HTML/JavaScript frameworks, the application runs locally on the device using the file:// protocol rather than http:// or https://, which changes how cross-origin restrictions are handled.

How Mobile HTML Apps Handle Cross-Origin Requests

Mobile HTML applications using frameworks like PhoneGap/Cordova have more flexibility with cross-origin requests because −

• The app runs locally on the device using the file:// protocol

• Requests are not made across the HTTP protocol, so traditional same-origin rules don't strictly apply

• The device acts as a local server environment

• Cross-domain restrictions are managed through whitelisting mechanisms

Whitelist Configuration

Instead of relying on same-origin policy enforcement, mobile HTML apps use whitelist configuration to control which external domains can be accessed. This provides security while allowing necessary external API calls.

PhoneGap/Cordova Whitelist Configuration

In PhoneGap or Cordova applications, you can configure domain access through the config.xml file −

<access origin="https://api.example.com" />
<access origin="https://maps.googleapis.com" />
<access origin="*" />

The access element controls which network requests the application can make. The origin attribute specifies the domain, and using * allows access to all domains (though this is not recommended for security reasons).

Content Security Policy (CSP)

Modern mobile HTML apps also use Content Security Policy headers for additional security −

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://api.example.com; style-src 'self' 'unsafe-inline';">

Example − Making Cross-Origin AJAX Request in Mobile App

Following example demonstrates how a mobile HTML app can make cross-origin requests to an external API −

<!DOCTYPE html>
<html>
<head>
   <title>Mobile App Cross-Origin Request</title>
   <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://jsonplaceholder.typicode.com; script-src 'self' 'unsafe-inline';">
</head>
<body style="font-family: Arial, sans-serif; padding: 15px;">
   <h2>Cross-Origin API Request</h2>
   <button onclick="fetchData()">Fetch User Data</button>
   <div id="result"></div>
   
   <script>
      function fetchData() {
         fetch('https://jsonplaceholder.typicode.com/users/1')
            .then(response => response.json())
            .then(data => {
               document.getElementById('result').innerHTML = 
                  '<h3>User Info:</h3>' +
                  '<p><strong>Name:</strong> ' + data.name + '</p>' +
                  '<p><strong>Email:</strong> ' + data.email + '</p>' +
                  '<p><strong>City:</strong> ' + data.address.city + '</p>';
            })
            .catch(error => {
               document.getElementById('result').innerHTML = 
                  '<p style="color: red;">Error: ' + error.message + '</p>';
            });
      }
   </script>
</body>
</html>

In a properly configured mobile app, this request would succeed because the external domain is whitelisted, whereas the same code in a web browser would be blocked by same-origin policy.

Security Considerations

While mobile HTML apps have more flexibility with cross-origin requests, developers should still implement proper security measures −

• Specific whitelisting − Only whitelist necessary domains instead of using wildcards

• HTTPS enforcement − Use secure connections for sensitive data

• Input validation − Validate all data received from external APIs

• CSP headers − Implement Content Security Policy for additional protection

Protocol Differences

The key difference between web and mobile HTML apps lies in the protocol used −

Since mobile HTML apps run from the file:// protocol, they don't make requests across the HTTP protocol in the traditional sense, allowing for more flexible cross-domain communication when properly configured.

Conclusion

Mobile HTML applications built with PhoneGap/Cordova operate under different cross-origin rules than web browsers. Since they use the file:// protocol and run locally on the device, they can make cross-domain requests to whitelisted domains without same-origin policy restrictions. Proper whitelist configuration and security measures ensure both functionality and protection.