42

Do phonegap applications require any CORS changes (like setting Access-Control-Allow-Origin:*) to work? I have a restful API hosted on Heroku and was wondering whether I need to set this header in order for my phonegap application to call the service?

I was thinking that because the phonegap application isn't really hosted on a domain, then CORS isn't required and I won't get any cross domain issues?

It would be great if someone could explain to me why this is or isn't the case.

jcm
  • 4,879
  • 9
  • 39
  • 64

4 Answers4

29

PhoneGap you can just XHR directly to remote servers and it should "just work". Cross-domain policy does not apply to PhoneGap (for a variety of reasons, basically because your app is essentially running off the file:// URI on-device).

Please be aware that you will have to set up a whitelist for your apps to access these external domains. Please check this link:

http://docs.phonegap.com/en/1.8.0rc1/guide_whitelist_index.md.html#Domain%20Whitelist%20Guide

user3225827
  • 307
  • 2
  • 3
  • 3
    Keep in mind, that this whitelist does not apply to stuff done in via the inAppBrowser-Plugin. Whitelisting will only work in the main Cordova webview! – Tobias May 11 '15 at 09:15
  • 2
    I wonder why [this answer](http://stackoverflow.com/a/3744697/399414) says 'Scripts running via file:// have limited support for CORS', if XHR to remote server should "just work". – Sen Jacob May 03 '16 at 12:41
  • Thanks to this post, here is my conclusion to share. It will "just work" really. But if CORS is enabled on the server, it will not work, because you can't set "file://" as an allowed origin. – heringer Sep 05 '19 at 18:29
6

None of the default Cordova (PhoneGap) platforms require CORS, despite the fact that the HTML files are hosted locally (file://) and are accessing a web domain.

However, on iOS, if you switch from the UIWebView to the newer WKWebView via cordova-plugin-wkwebview-engine, you will indeed have to implement CORS.

Kevin Christopher Henry
  • 37,093
  • 5
  • 98
  • 87
  • Note that the "browser" platform *does* require CORS. Not sure if there are any others that do. – Jules Aug 05 '17 at 08:00
  • @Jules: Unlike the other platforms, `browser` isn't tied to any particular web view, so it just depends on the web browser you choose to use. Assuming that you're talking about development use, it's trivial to disable the Same Origin Policy in Chrome with the [`--disable-web-security` flag](https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome) and avoid implementing CORS. – Kevin Christopher Henry Aug 05 '17 at 08:21
  • Is this, "None of the default Cordova (PhoneGap) platforms require CORS" still valid in August 2018? During our integration with the client's LOGIN the mobile app gets a 401 and the details show "CORS" error. Server team says that they are enabling CORS at their gateway, but believe the origin "file://" is the root cause. HELP :( – mobibob Aug 07 '18 at 18:42
  • @mobibob: As far as I know this is still true. In any case, your best bet is to post a new question indicating the platform and including the full request and response headers. – Kevin Christopher Henry Aug 09 '18 at 06:03
  • cordova plugin add cordova-plugin-wkwebview-file-xhr – AUSTX_RJL Sep 24 '18 at 20:35
2

Yes You have to activate CORS on he server that hosts your API. I am running a Phonegap App on iOs. My app requests json from a server API on Apache. I activate CORS on the server to get the data otherwise I get nothing in my application, no error and no data.

Notice that the access parameter in the config file lets you filter which domain your application is authorized to query but does nothing with the server's permissions.

hakimoun
  • 306
  • 2
  • 8
2

As of cordova 5 you will need to add the whitelist plugin

https://github.com/apache/cordova-plugin-whitelist

In config.xml add

<!-- Don't block any requests -->
<access origin="*" />
aWebDeveloper
  • 31,131
  • 35
  • 150
  • 224