cordova-plugin-whitelist

by apache

Apache Cordova plugin whitelist

434 Stars 188 Forks Last release: Not found Apache License 2.0 85 Commits 19 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


title: Whitelist

description: Whitelist external content accessible by your app.

cordova-plugin-whitelist

This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0

Installation

You can install whitelist plugin with Cordova CLI, from npm:

$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare

Supported Cordova Platforms

  • Android 4.0.0 or above

Navigation Whitelist

Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.

By default navigations are only allowed to

file://
URLs. To allow others URLs, you must add
 tags to your 
config.xml
:

Quirks: on Android it also applies to iframes for non-http(s) schemes.

Intent Whitelist

Controls which URLs the app is allowed to ask the system to open.

In

config.xml
, add
 tags, like this:


Without any

 tags, no requests to external URLs are allowed. However, the default Cordova application includes a quite liberal set of 
allow-intent
entries by default. It is advised to narrow this down based on each app's needs.

On Android, this equates to sending an intent of type BROWSEABLE.

This whitelist does not apply to plugins, only hyperlinks and calls to

window.open()
.

Note:

allow-navigation
takes precedence over
allow-intent
. Allowing navigation to all URLs with
 for example has the side effect of "capturing" all intents, so the webview navigates to them instead of triggering e.g. external apps.

Network Request Whitelist

Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).

Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.

In

config.xml
, add
 tags, like this:


Without any

 tags, only requests to 
file://
URLs are allowed. However, the default Cordova application includes
 by default.

Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP.

Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly.

Content Security Policy

Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).

On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g.

& WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy
 tag on all of your pages.

On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).

Here are some example CSP declarations for your

.html
pages:











We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.