Because of CORS, you can only open requests using http*:// schemes, not file.
Ultimately this might be a new plugin. The plugin needs to:
1. Run a local webserver
2. Proxy XmlHttpRequest.open and rewrite urls that go to (1)
The local webserver in (1) will route the requests using the appropriate handler, and will need to utilize a secret to prevent unauthorized access.
Something like this: https://github.com/phonegap/connect-phonegap/blob/master/res/middleware/proxy.js