6

I am building a hybrid app (HTML,CSS, JS + Native iOS code), and Would like to make calls to a web service, but this is being blocked currently by the XSS Security.

What do I need to do to turn off this security feature (or more likely provide a whitelist that is allowed to connect?)

Thanks for the help!

Nathan
  • 1,609
  • 4
  • 25
  • 42
  • 1
    That isn't XSS. XSS is where you have a security hole which allows an attacker to add their JavaScript to your page so it runs when a visitor arrives on your site (usually via a link from the attacker). – Quentin Mar 15 '12 at 13:38
  • What kind of "web service" are you talking about? What exactly are you trying, and what exactly is the browser doing to thwart your efforts? "XSS" is an *attack* strategy, not a security feature. – Pointy Mar 15 '12 at 13:39
  • There is probably a way to expose an API written in Obj-C to your JavaScript (and your Obj-C code can make HTTP requests freely), but I'm not well versed in Apple's APIs. – Quentin Mar 15 '12 at 13:39
  • See [How to call Objective-C from Javascript?](http://stackoverflow.com/questions/1662473/how-to-call-objective-c-from-javascript). It isn't specific enough about your problem to count as a duplicate, but it should give you enough to tie into an Objective C method you write to make the HTTP requests. – Quentin Mar 15 '12 at 15:01

2 Answers2

6

Yes.

You can use Cross Origin Resource Sharing, iff you're allowed to configure the server to support it, and it works on enough browsers for your needs.

Yusuf X
  • 14,513
  • 5
  • 35
  • 47
0

No.

XSS cannot be disabled in any browser - otherwise hackers could easily steal all your money from your bank account. So this isn't a path that you can, should or want to take.

Ask another question where you describe more clearly what you need to achieve and we can probably help.

Aaron Digulla
  • 321,842
  • 108
  • 597
  • 820
  • 4
    Since the 'browser' is a piece of software written (albeit using preexisting libraries) by the OP, that isn't the case here. – Quentin Mar 15 '12 at 13:40
  • What is it that you're thinking of that you'd call an "XSS security feature"? All XSS attack methods I know of involve tricks that are **not** prevented by intrinsic browser securities, like exploiting failures to HTML-escape user data written back onto pages. – Pointy Mar 15 '12 at 13:41
  • Hi Aaron- Thanks for the reply, to elaborate: The application makes calls to a physical device, receives information from the device and displays the information. I built the app using strictly native iOS code, and made the calls via HTTP Post requests, but the client wants to build the app utilizing as little native code as possible (so it is cross platform compatible)... The issue is when the native HTML/JS code attempts to access the physical device serving up the data, the call is blocked... – Nathan Mar 15 '12 at 13:41
  • @Aaron Digulla, +1 for short but helpful answer and your support to the OP, some geeks only here to down vote the juniors (according to reps) and I think they feel insecure of new comers. Thanks again! :-) – The Alpha Mar 15 '12 at 13:42
  • @Nathan: JS in a browser is stricly forbidden to access any native APIs for security reasons (otherwise a hacker could send you a link and pw3n your phone). You will need to split your app into a server that responds to HTTP and a pure HTML part that talks with the server. – Aaron Digulla Mar 15 '12 at 13:53
  • Presumably we're talking about a UIWebView and not "a browser". – Quentin Mar 15 '12 at 15:02