Apache Cordova plugin whitelist
title: Whitelist
This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0
You can install whitelist plugin with Cordova CLI, from npm:
$ cordova plugin add cordova-plugin-whitelist $ cordova prepare
Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.
By default navigations are only allowed to
file://URLs. To allow others URLs, you must add tags to your
config.xml:
Quirks: on Android it also applies to iframes for non-http(s) schemes.
Controls which URLs the app is allowed to ask the system to open.
In
config.xml, add tags, like this:
Without any
tags, no requests to external URLs are allowed. However, the default Cordova application includes a quite liberal set ofallow-intententries by default. It is advised to narrow this down based on each app's needs.
On Android, this equates to sending an intent of type BROWSEABLE.
This whitelist does not apply to plugins, only hyperlinks and calls to
window.open().
Note:
allow-navigationtakes precedence over
allow-intent. Allowing navigation to all URLs with for example has the side effect of "capturing" all intents, so the webview navigates to them instead of triggering e.g. external apps.
Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).
Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.
In
config.xml, add tags, like this:
Without any
tags, only requests tofile://URLs are allowed. However, the default Cordova application includes by default.
Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP.
Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly.
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g.
& WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy tag on all of your pages.On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).
Here are some example CSP declarations for your
.htmlpages: