I've just started using Apache Cordova. I have an library that makes calls (via ajax) to a soap server.

When I run these on my local machine in chrome, I get cross site scripting errors when trying to make calls to the service.

When I run the same exact code using the Cordova browser in the iOS emulator, the scripts seem to hit the server fine and the response data is received properly.

So my question is how is the Cordova browser able to make these requests without cross-site scripting permissions & JSONP ? One thing I noticed is that when the request is sent from iOS, there is no "Origin" header. Is this allowing the Cordova browser to stealthily circumvent cross-site scripting requirements? Is it possible that the node.js server on the device (I believe this is how Cordova works) is manipulating the headers to allow this?

I'd like to avoid enabling cross-site scripting on my site so I think this "feature" is nice, but I'm wondering if it's a security hole as well.

Anyone have experience with this?

By default, Phonegap allows cross domain requests. You can restrict this using domain whitelisting if you're worried about security. If you're using jQuery, set $.support.cors = true; to allow cross domain requests.

This page has a breakdown of cross site scripting security in Phonegap.

By the way, there's a neat trick you can use with Google Chrome to allow cross site scripting and therefore test your Phonegap app in the Ripple emulator, for example: set the command line parameter --disable-web-security in the shortcut to Chrome, e.g.

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security