Cordova CLI 5.1.1
Starting with Cordova CLI 5.1, the security model that uses Domain whitelisting to restrict the access to other domains from the app has changed. By default now the Cordova apps are configured to allow access to any site, but it is recommended that before you move your app to production you should provide a whitelist of the domains that you want your app to have access to.
Starting from Cordova Android 4.0 and Cordova iOS 4.0, security policy is extended through Whitelist Plugin. For other platforms, Cordova uses the W3C Widget Access specifications for domain whitelisting.
The Whitelist Plugin uses 3 different whitelists and Content Security Policy.
Navigation Whitelist :
Navigation Whitelist controls which URLs the Webview can be navigated to. (Only top level navigations are allowed, with the exception,for Android it applies to iFrames also for non-http(s) schemes). By default, you can only navigate to file:// URLs. To allow other URLS, <allow-navigation> tag is used in config.xml file. With the Intel XDK you need not specify this in config.xml, the Intel XDK automatically generates config.xml from the Build settings.
In the Intel XDK you specify the URL that you would like the Webview to be navigated to under Build Settings > Android > Cordova CLI 5.1.1 > Whitelist > Cordova Whitelist > Navigation. For example : http://google.com
Intent Whitelist:
Intent Whitelist controls which URLs the app is allowed to ask the system to open. By default, no external URLs are allowed. This applies to only hyperlinks and calls to window.open(). App can open a browser (for http:// and https”// URLs) or other apps like phone, sms, email, maps etc. To allow app to launch external apps through URL or launch inAppBrowser through window.open(), <allow-intent> tag is used in config.xml, but again you need not specify this in config.xml, the Intel XDK takes care of it through Build settings.
In the Intel XDK specify the URL you want to whitelist for external applications under Build Settings > Android > Cordova CLI 5.1.1 > Whitelist > Cordova Whitelist > Intent. For example http://example.com or tel:* or sms:*
Network Request Whitelist:
Network Request Whitelist controls, which network requests, such as content fetching or AJAX (XHR) etc. are allowed to be made from within the app. For the web views that support CSP, it is recommended that you use CSP. This whitelist is for the older webviews that do not support CSP. This whitelist is defined in the config.xml using <access origin> tag, but once again in Intel XDK you provide the URL under Build Settings > Android > Cordova CLI 5.1.1 > Whitelist > Cordova Whitelist > Network Request. For example: http://mywebsite.com
By default, only request to file”// URLs are allowed, but Cordova applications by default include access to all website. It is recommended that you provide your whitelist before publishing your app.
Content Security Policy:
Content Security Policy controls, which network requests such as images, AJAX requests (XHR) etc. are allowed to be made via web view directly. This is specified through meta tags in your html file. It is recommended that you use CSP <meta> tag on all of your pages. Android KitKat onwards supports CSP, but Crosswalk web view supports CSP on all android versions.
For example include this in your index.html file.
<meta http-equiv=“Content-Security-Policy” conent=“default-src ‘self’ data: gap” https://ssl.gstatic.com; style-src ‘self’ ‘unsafe-inline’; media-src *”><meta http-equiv=“content-Security-Policy” contnet=“default-src ‘self’ https:”>
Important Note:
As of Intel XDK release 2496, Cordova iOS 4.0 is not released yet. So, for iOS W3C Widget Access policy is used. The settings in Intel XDK for whitelisting URLs are as follows.
For Windows platforms also, W3C Widget Access standards are used and the build settings for whitelisting are as follows.
Cordova CLI 4.1.2
For using whitelisting with Cordova CLI 4.1.2 please follow this article.