Crosswalk for Windows Desktop - issue with cross domain requests

Crosswalk for Windows Desktop - issue with cross domain requests

hi there

Trying the new crosswalk desktop option, but for some reason it won't let me make http requests - how can I allow cross domain requests?

XMLHttpRequest cannot load https://xxxx/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'app://kdgggkjnnjegondbpjdekbiiicookkia' is therefore not allowed access.



13 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Try adding this to the <head> section of your index.html file:

<meta http-equiv="Content-Security-Policy"  content="default-src * 'unsafe-inline' 'unsafe-eval'">

And also try the following settings for the whitelist in your Build Settings section:

Hi Paul

I am talking about the new "Crosswalk for Windows Classic Desktop" - there is no network section in the build settings? (I am using the Early Access version 3172) - How do I add domains/intents?

Edit: I tried adding the meta in index but that didn't work. I also tried adding "default-src * 'unsafe-inline' 'unsafe-eval'" into the csp field on build settings but that didn't work either.


Sorry about that confusion.

My suspicion is that is controlled in the manifest.json file. But I'm not sure. The responsible engineer has already gone home for the weekend, so won't be able to find out until next week.

Hi Paul

That's no problem - thanks for the update. It would be great to test this out.

FP -- here's the relevant page that gives you the background > < and I am told (I did not verify) that an empty "cps": is what you will find in there if you have not touched that file. That case is not covered by that doc, buy gut feeling is that it "does the wrong thing" and should be changed. Try using that field in the manifest.json file to see if it helps. Please let me know what you uncover.

I'm assuming you already read thru this page >

Hi Paul

I had already found both of these resources online, I tried a multitude of versions of the csp options, but none of them work including this one which is recommended on the page you sent. Are you guys able to do cross-domain requests on your tests?

"csp": "script-src 'self' 'unsafe-inline'; object-src 'self'"

Error: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-/vllGj0YOpz/dXbe4iKdVys0XTxMhYhpJVTn05Agmb0='), or a nonce ('nonce-...') is required to enable inline execution.


FP -- we did some experiments and found what appears to be a bug with Crosswalk Windows and cmd.exe shells. We don't know what the specific source of the bug is, we need to pass that on to the Crosswalk project team, but we believe we've found a workaround.

Do NOT use the CSP field in the UI (which fills out the "csp" element in the manifest.json file). Instead, use the "normal" method of specifying CSP, via the <head> section of your indexl.html file. For example:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; object-src 'self'">

That worked for us. Let me know if it works for you.

Hi Paul

I am still getting the original error - again I tried a multitude of options - ended up with the below but still no joy -The error I get is: XMLHttpRequest cannot load https://xxxx/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'app://kdgggkjnnjegondbpjdekbiiicookkia' is therefore not allowed access.

<meta http-equiv="Content-Security-Policy" content="connect-src *; img-src 'self' data:; font-src 'self' data:; default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'">

Note: I have successfully used the same code on an Android crosswalk build


If you build the Crosswalk for Windows app and run the built app do you see it work? We did see a difference in our test between a built app and the test app. When running it in the Debug tab there appears to be an issue associated with launching the unbuilt app from a cmd.exe shell.

Also, if you remove the csp entry entirely, from the manifest.json file (and from the <head> tag), does that result in a working app? According to the CW docs that removing the csp element entirely, from the manifest.json file, should result in no CSP enforcement.

I built it without csp in manifest or head tag, and it still fails to allow cross-domain requests (essentially we can't sign in to our app back end)

Maybe I'm too early on this one ;-) Sounds like a great concept though! Is anyone else testing this for you?

So far you are the only one that has provided feedback regarding this feature. Sorry, I do not know how many people have downloaded the EA and are using it. Typically, only a very small fraction of actual users post in the forum, most are content to simply read posts, it's great to get the feedback.

Leave a Comment

Please sign in to add a comment. Not a member? Join today