Need help with cordova-plugin-whitelist?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

445 Stars 196 Forks Apache License 2.0 97 Commits 7 Opened issues


[DEPRECATED] Apache Cordova - Whitelist Plugin

Services available


Need anything else?

Contributors list

title: Whitelist

description: Whitelist external content accessible by your app.


This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0

Deprecation Notice

With the Allow List functionality now integrated into the core of Cordova Android (10.x and greater), this plugin is no longer required.

Existing projects using Cordova Android 10 or greater should remove this plugin with the following command:

cordova plugin rm cordova-plugin-whitelist


You can install whitelist plugin with Cordova CLI, from npm:

$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare

Supported Cordova Platforms

  • Android 4.0.0 or above

Navigation Whitelist

Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only.

By default navigations are only allowed to

URLs. To allow others URLs, you must add
 tags to your 

Quirks: on Android it also applies to iframes for non-http(s) schemes.

Intent Whitelist

Controls which URLs the app is allowed to ask the system to open.


, add
 tags, like this:

Without any

 tags, no requests to external URLs are allowed. However, the default Cordova application includes a quite liberal set of 
entries by default. It is advised to narrow this down based on each app's needs.

On Android, this equates to sending an intent of type BROWSEABLE.

This whitelist does not apply to plugins, only hyperlinks and calls to


takes precedence over
. Allowing navigation to all URLs with
 for example has the side effect of "capturing" all intents, so the webview navigates to them instead of triggering e.g. external apps.

Network Request Whitelist

Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).

Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.


, add
 tags, like this:

Without any

 tags, only requests to 
URLs are allowed. However, the default Cordova application includes
 by default.

Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP.

Quirk: Android also allows requests to by default, since this is required for TalkBack to function properly.

Content Security Policy

Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).

On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g.

& WebSockets are not blocked). So, in addition to the whitelist, you should use a Content Security Policy
 tag on all of your pages.

On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView).

Here are some example CSP declarations for your


We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.