Become an AceSign inSign up
apache/ cordova-plugin-whitelist
JavaScript Java cplusplus Node.js Mobile cordova Objective-C C#
View on GitHub
Need help with cordova-plugin-whitelist?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

apache
441 Stars 190 Forks Apache License 2.0 88 Commits 15 Opened issues

Description

Apache Cordova plugin whitelist

Services available

!
?

Need anything else?

Contributors list

title: Whitelist

description: Whitelist external content accessible by your app.

cordova-plugin-whitelist

This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0

Installation

You can install whitelist plugin with Cordova CLI, from npm:

$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare

Supported Cordova Platforms

  • Android 4.0.0 or above

Navigation Whitelist

Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.

By default navigations are only allowed to 

file://
URLs. To allow others URLs, you must add 
 tags to your 
config.xml
:















Quirks: on Android it also applies to iframes for non-http(s) schemes.



Intent Whitelist



Controls which URLs the app is allowed to ask the system to open.



In 
config.xml
, add 
 tags, like this:























Without any 
 tags, no requests to external URLs are allowed. However, the default Cordova application includes a quite liberal set of 
allow-intent
 entries by default. It is advised to narrow this down based on each app's needs.


On Android, this equates to sending an intent of type BROWSEABLE.



This whitelist does not apply to plugins, only hyperlinks and calls to 
window.open()
.


Note: 
allow-navigation
 takes precedence over 
allow-intent
. Allowing navigation to all URLs with 
 for example has the side effect of "capturing" all intents, so the webview navigates to them instead of triggering e.g. external apps.


Network Request Whitelist



Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).



Note: We suggest you use a Content Security Policy (see below), which is more secure.  This whitelist is mostly historical for webviews which do not support CSP.



In 
config.xml
, add 
 tags, like this:

















Without any 
 tags, only requests to 
file://
 URLs are allowed. However, the default Cordova application includes 
 by default.


Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP.



Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly.



Content Security Policy



Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).



On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. 
 & WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy 
 tag on all of your pages.


On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).



Here are some example CSP declarations for your 
.html
 pages:














    
    
    
    
    
    
    
    



 We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.