Starting chrome with --allow-file-access-from-files --disable-web-security flags also does the trick.
Sencha requires web server because if app is in development mode microloader in sencha make Ajax request for app.json file and from it, it loads other files. You can see this in
../sencha-sdk/mircroloader/development.js
file with following code -
var xhr = new XMLHttpRequest();
xhr.open('GET', 'app.json', false);
When you start chrome with above mentioned flags, chrome does allow making ajax requests even if file opened with file://.... url scheme.
When you deploy the app after compressing js/css with sencha cmd, all files are bunched into one single file. You no more need a webserver in that case.
Update
From Cordova docs for Whitelisting domain
Domain whitelisting in Apache Cordova is a security model that controls access to outside domains, such as http://google.com. The default security policy is to block all network access. The application developer can then declare access to specific network domains and subdomains.
And
In the Widget Access specification, the element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement it's own domain whitelisting.
Moreover, W3C Widget Access does not enclose the security and user agent enforce policy. It is defined in XMLHTTPRequest.
So what Cordova essential does is, adds an exception in policy to allow access to certain network resource outside app domain with whitelisted domains.
