We've recently just released a new HTML 5 web app that follows the single page app design and are using App Cache to enable a certain amount of offline functionality. However most data is fetched from a cross origin RESTful API in which we allow access to via the NETWORK element in the App Cache manifest file.
In order to secure the data being transferred from the app to the API we want to ensure all calls to the API are made securely using SSL. When we change the protocol for the URL of the endpoint and update the NETWORK white-list to https://domain.co.uk
we find in Chrome that it kills the request off. The request never makes it outside of the browser. Testing in desktop Firefox appears to not experience the same behaviour.
It appears the if we make the NETWORK element a full wildcard then Chrome is happy and our requests make it out of the browser. However I'm unhappy to implement this as a fix as it's unclear if in doing so we risk having the application load all resources from the network even if previously we had asked it to cache them through the App Cache CACHE directive. From a security perspective whilst we would achieve securing the data transfer between the web app and the RESTful API we would open up another security hole by allowing any script network access to download whatever content it likes.
At the moment I want to understand if this is a bug just in Chrome, or if we're doing something that App Cache wasn't designed for. I'll update you as my journey unfolds as we dig further.#html5 #appcache