I recently had a problem with a cross domain AJAX call to a third party web service which requires a JSESSIONID cookie to be present in each request for session management.
On the face of it, CORS supports this by setting withCredentials: true on the XHR object being sent over the wire. But as I was building a PhoneGap app, the files were being loaded using the file:// protocol, which has the side-effect of setting the Origin header to null whenever you make an AJAX call. According to the CORS spec, when using withCredentials, you must set the response header Access-Control-Allow-Origin on the server to something _other_ than the wildcard *. In this case, it would need to be my Origin. But since my Origin was null, I was stuffed, and I don't think that what I was trying to do, could be done.
This seems like a bug / missing feature in Phone Gap. You should ask them for advice / file a ticket. This sort of thing sounds like a generally useful feature to have, so hopefully they should be receptive.
On the face of it, CORS supports this by setting withCredentials: true on the XHR object being sent over the wire. But as I was building a PhoneGap app, the files were being loaded using the file:// protocol, which has the side-effect of setting the Origin header to null whenever you make an AJAX call. According to the CORS spec, when using withCredentials, you must set the response header Access-Control-Allow-Origin on the server to something _other_ than the wildcard *. In this case, it would need to be my Origin. But since my Origin was null, I was stuffed, and I don't think that what I was trying to do, could be done.
Do you think EasyXDM might help here?
(The scenario is explained in more detail on Stack Overflow: http://stackoverflow.com/questions/9103876/cors-cookie-crede... )