Starting with Apache Cordova CLI 4.1.2, the security model now uses a concept called "whitelisting" to restrict the access to other domains from your app. The Cordova CLI recommendation is that by default you do not allow your app 1) to access other domains and 2) to launch the external apps via different domains. What this means is that, the AJAX calls will not work by default, and your app will not be able to launch external apps like phone, email, SMS or a browser. You have to specifically provide the appropriate settings to do so.
The current Intel® XDK default settings however provide access to other domains (AJAX calls) in the Build Settings (Projects tab) by putting * in the domain list. You are encouraged to replace * with specific domains wherever possible. To allow external application to launch from your app using different domains, you have to take extra step in the Build Settings UI i.e. click on “+ add another domain" and check the 'Allow external Application to launch from this domain" checkbox. Examples of external applications that could be launched include Phone, Email, SMS, Browser, and so on. The current UI is slightly confusing but you can set it up per your use.
For a detailed explanation of Cordova domain whitelisting please refer to the Cordova documentation
.The rest of this document shows how you can set domain whitelisting in the Intel XDK build settings for your specific requirement.
Here are a few possible scenarios for your app:
- You do not want to access any domains from within your app (no AJAX), and you do not want your app to launch any external application like Phone, Email, SMS, Browser etc., your settings would be as follows (No Whitelist):
- To allow your app to access a specific domain, such as http://google.com or http://*.google.com or https://*.google.com, your settings would be as follows (Internal Whitelist):
- To allow your app to access all domains (if you are not sure which domain you will access from your app, or if you have a lot of domains that you are accessing through AJAX) then use * in the domain list box. This is the default setting that the Intel XDK provides with the templates and some of the sample apps (Internal Whitelist - access to all):
- If you do not want to use AJAX, but do want to launch external apps from your app through specific domains, then use settings like the following: Tel:*, SMS:*, mailto:* and http://* When using values like these make sure to set the checkbox for “Allow external applications to launch from this domain” (External Whitelist):
- To allow External apps to be launched from your app through all domains, consider these settings. For example, if your app has many other apps to be launched or you are not sure which ones, put * in the domain list and set the checkbox for “Allow external application to launch from this domain” (External Whitelist - allow all domains to launch from external app):
- To allow your app to access specific domains (AJAX) and allow external apps to be launched from your app through specific domains (like launching the phone app or the default browser), use the following settings (this is the recommended way to specify your settings for AJAX as well launching external applications) (Internal Whitelist and External Whitelist):
- To access all domains from within your app and to allow external apps to be launched from your app for all domains, (If you are not sure about the domains your app accesses or you have many multiple domains to access and you want multiple apps to be launched from your app through multiple domains), use this option. Please be aware that this option is the least secure since it results in the most security vulnerabilities in your app. (Internal Whitelist and External Whitelist - access all):
Note that with the current Cordova implementation the order of your domain lists matter, so make sure you specify your Internal Whitelists (AJAX case) first and then your External Whitelists (launching external app).