3

I'm rendering a local static HTML file in a WebView that needs to do cross-origin requests to a server I control. Currently those requests are failing because the "Origin" header is being set as null by the WebView (probably because it's a local file). I've considered running a local HTTP server in the app and pointing the WebView to that, but then the "Origin" header would be set as http://localhost. I'm reluctant to add localhost to my CORS whitelist server-side, as I'm not sure what the security implications of that would be.

What would be the best approach to solving this problem?

pjivers
  • 1,769
  • 18
  • 27
  • Is there a specific reason you have a CORS origin allow list at all, rather than just sending `Access-Control-Allow-Origin: *` in responses? Are you using an allow list because the requests include credentials? – sideshowbarker Jun 26 '20 at 05:42
  • 1
    Not particularly. I was just under the impression (probably falsely) that I shouldn't use `Access-Control-Allow-Origin: *` if I want to restrict the API calls to domains I control. – pjivers Jun 26 '20 at 05:55
  • But now that you mention it, it looks like that's only an issue when passing credentials. – pjivers Jun 26 '20 at 05:56
  • 1
    Right — if the requests don’t include credentials, then it’s safe to use `Access-Control-Allow-Origin: *`. See the answer at https://stackoverflow.com/a/43154277/441757 – sideshowbarker Jun 26 '20 at 06:02

0 Answers0