I want to allow PWAs to be able to request permission to bypass the same-origin policy after install
Submitted by David Barratt
If you wanted to create an RSS reader in the browser, it would not work because most RSS feeds do not use Cross-Origin Resource Sharing (CORS), thereby disallowing the web app to consume the RSS feed (a cross-origin resource). This is a necessary protection because without it, it would be possible for a user to visit example.com and have example.com make a request to their router at 192.168.1.1. The same-origin policy prevents this.
There are, however, legitimate use-cases for when the user might want to violate the same-origin policy. For example, the aforementioned RSS reader.
To work around the same-origin policy, a developer must do one of the following:
- have the user install a browser plugin that will modify the CORS headers,
- have the user download and install a native (or electron) application, or
- use a web-server to proxy public requests.
The first two options create a lot of friction for users, while the third option is an infrastructure burden on the app and violates the users' privacy since the proxy now is aware of all of the feeds a user subscribes to.
What if cross-origin requests were added as a permission that is gated by install? Installing a web app, should grant additional permissions similar to a native application; the user is explicitly granting trust to this application.