How to enable cross-site scripting in Chrome
Lately I've been doing a lot of PlayBook development. It's fun to develop for a device that's not even out yet, although the simulator is a bit buggy. One of the intriguing things about the PlayBook is that native applications can be written in HTML and Javascript. The PlayBook uses something WebKit-based to run the apps.
At first I was concerned that the development cycle would like this:
Code, compile bar, upload to simulator, run, modify and repeat
In actually, the development cycle is quite nice, because for non-Blackberry specific code (of which I haven't used much, thus far, I can just do:
Code, open local html file in Chrome, modify and repeat
We all know a shorter development cycle means faster development time, plus the Chrome Javascript REPL (console, if you must) is quite nice, so developing a PlayBook app can be pretty pleasant.
That is, until you want to develop a login scheme that uses XmlHttpRequest for a remote server. At this point, Chrome will yell at you for doing cross-site scripting. The PlayBook won't, because the PlayBook understands that the initializing HTML files of all its apps reside locally instead of being served from the remote server. Thus this ability is a necessity for asynchronized Javascript communication with any remote server from a native app.
A few minutes of Googling turned up a few promising candidates. Chrome has a --allow-file-access-from-files flag, but that's only useful for cross-origin scripting between local files - not relevant in our situation. XMLHttpRequest (Level 2) has been implemented in Chrome with "withCredentials", which apparently allows cross-origin scripting provided that the remote server sends back an HTTP header saying the request is cool, but as I did not have access to the remote server in this situation, that was also a no-go. Finally, I found another simple and bluntly named Chrome flag "--disable-web-security" that did the trick.