I want to discuss the infamous cross-domain policy. I see it as one of the key factors preventing web apps from overcoming the native apps as a technology and distribution system.
Every web developer hits the wall of the cross-domain requests restriction at some point. Usually it’s because a need arises to fetch content from another website or a public API. At other times developers want to divide their back-end into many different independent services instead of one monolithic server through which every request passes. The development of server-less apps and the adoption of micro-services would have been greatly facilitated by a more lenient restriction. Despite the existing alternatives for http requests, such as WebRTC, JSONP, and HTML includes, REST endpoints are still the main method through which servers expose APIs.
I realize that the policy stems from security concerns, but I don’t see why its is the only solution to these problems. If security of IFrames is the issue, why not just limit access to cookies and localstorage for the domain? Why throw the baby with the water?
In other words, is there a good argument (security or other) why in 2016, where there is no longer a clear distinction between web apps and other apps, we should still have this limitation? (argument must not apply to native apps…)
If not, why the hell do we still have it.