I've been working on a sencha touch app that is supposed to make an ajax call to a pre-existing xml based service. My question is that if I want to set Access-Control-Allow-Origin header in the web server that I need to call, what domain origin should I allow it from? My touch app will be deployed in the app store, I don't want to say Access-Control-Allow-Origin header: * since that would open for all domains. If my app is going to be downloaded from the app store and run from a consumer's cell phone what will be the origin?