We are investigating the possibility of creating an app with one code base that can be run on our webserver (as a HTML file and Javascript) and also as smartphone apps (iOS/Android, compiled from Intel XDK). Because of this approach, we can only use HTML, CSS, Javascript. Our current study is connecting to our server using AJAX to invoke a PHP file on the server that echo the same data back from the client Javascript side.
Currently we are testing with the following codes, borrowed and modified a bit from https://stackoverflow.com/a/5004276/144201:
HTML:
<html>
<script src="jquery.js"></script>
<script src="ajaxphpjquery.js"></script>
<form id="foo">
<label for="bar">A bar</label>
<input id="bar" name="bar" type="text" value="" />
<input type="submit" value="Send" />
</form>
<div id="result"></div>
JS: (showing only the AJAX request and Receiving data back part. We use jquery.)
request = $.ajax({
url: "http://MYURL.com/myPHP.php",
type: "post",
data: serializedData
});
// Callback handler that will be called on success
request.done(function (response, textStatus, jqXHR){
// Log a message to the console
console.log("it worked : " + response);
// And also show message on result tag
$("#result").html("it worked : " + response);
});
PHP on our server:
<?php
header("Access-Control-Allow-Origin: *");
$bar = isset($_POST['bar']) ? $_POST['bar'] : null;
echo "!!! $bar";
?>
While all these codes worked fine and we got the form input echoed back correctly, one thing that is bothering us is the use of header("Access-Control-Allow-Origin: *"); in php. As mentioned in https://stackoverflow.com/a/17098221/144201 , this implies that the wildcard would allow cross site script from any domain. Therefore, it is more preferable to use something like a white-list to allow which domain can connect to our server.
But in the case of hybrid apps, imagine a thousand users using this hybrid app on their smartphone and connect to our server via AJAX. Is Access-Control-Allow-Origin: * the only way to allow external hybrid apps to connect to our server? What is the proper method to tackle this issue, security-wise?
Note: We have also found https://stackoverflow.com/a/26966685/144201 but this was asked two years ago and there are no accepted answers. Are there any recommendation regarding this issue as of now?
