Showing with 30 additions and 5 deletions.

+15 −5 js/jquery.mobile.navigation.js

+15 −0 tests/unit/navigation/navigation_helpers.js
diff --git a/js/jquery.mobile.navigation.js b/js/jquery.mobile.navigation.js
@@ -245,6 +245,19 @@
 					return ( u.hash && ( u.hrefNoHash === documentUrl.hrefNoHash || ( documentBaseDiffers && u.hrefNoHash === documentBase.hrefNoHash ) ) );
 				}
 				return (/^#/).test( u.href );
+			},
+
+
+			// Some embedded browsers, like the web view in Phone Gap, allow cross-domain XHR
+			// requests if the document doing the request was loaded via the file:// protocol.
+			// This is usually to allow the application to "phone home" and fetch app specific
+			// data. We normally let the browser handle external/cross-domain urls, but if the
+			// allowCrossDomainPages option is true, we will allow cross-domain http/https
+			// requests to go through our page loading logic.
+			isPermittedCrossDomainRequest: function( docUrl, reqUrl ) {
+				return $.mobile.allowCrossDomainPages
+					&& docUrl.protocol === "file:"
+					&& reqUrl.search( /^https?:/ ) != -1;
 			}
 		},
 
@@ -1220,7 +1233,6 @@
 		return path.makeUrlAbsolute( url, base);
 	}
 
-
 	//The following event bindings should be bound after mobileinit has been triggered
 	//the following function is called in the init file
 	$.mobile._registerInternalEvents = function(){
@@ -1256,8 +1268,7 @@
 
 			url = path.makeUrlAbsolute(  url, getClosestBaseUrl($this) );
 
-			//external submits use regular HTTP
-			if( path.isExternal( url ) || target ) {
+			if(( path.isExternal( url ) && !path.isPermittedCrossDomainRequest(documentUrl, url)) || target ) {
 				return;
 			}
 
@@ -1365,12 +1376,11 @@
 				// data. We normally let the browser handle external/cross-domain urls, but if the
 				// allowCrossDomainPages option is true, we will allow cross-domain http/https
 				// requests to go through our page loading logic.
-				isCrossDomainPageLoad = ( $.mobile.allowCrossDomainPages && documentUrl.protocol === "file:" && href.search( /^https?:/ ) != -1 ),
 
 				//check for protocol or rel and its not an embedded page
 				//TODO overlap in logic from isExternal, rel=external check should be
 				//     moved into more comprehensive isExternalLink
-				isExternal = useDefaultUrlHandling || ( path.isExternal( href ) && !isCrossDomainPageLoad );
+				isExternal = useDefaultUrlHandling || ( path.isExternal( href ) && !path.isPermittedCrossDomainRequest(documentUrl, href) );
 
 			if( isExternal ) {
 				httpCleanup();

diff --git a/tests/unit/navigation/navigation_helpers.js b/tests/unit/navigation/navigation_helpers.js
@@ -215,4 +215,19 @@
 		same( $.mobile.path.cleanHash( "#anything/atall?akjfdjjf" ), "anything/atall", "removes query param");
 		same( $.mobile.path.cleanHash( "#nothing/atall" ), "nothing/atall", "removes query param");
 	});
+
+	test( "path.isPermittedCrossDomainRequest", function() {
+		var fileDocUrl = $.mobile.path.parseUrl( "file://foo" );
+
+		$.mobile.allowCrossDomainPages = false;
+		same( $.mobile.path.isPermittedCrossDomainRequest( "foo",  "bar"), false, "always false from the setting");
+
+
+		$.mobile.allowCrossDomainPages = true;
+		// test the two states of the file protocol logic
+		same( $.mobile.path.isPermittedCrossDomainRequest( fileDocUrl,  "http://bar.com/foo"), true, "external url from file protocol succeeds");
+
+		same( $.mobile.path.isPermittedCrossDomainRequest( fileDocUrl,  "file://foo"), false, "two file protocol urls fail");
+
+	});
 })(jQuery);