Quantcast
Channel: Intel Developer Zone Articles
Viewing all articles
Browse latest Browse all 3384

Cordova Whitelisting with Intel® XDK for AJAX and Launching External Apps

$
0
0

Cordova CLI 5.4.1 (Cordova CLI 5.1.1 and higher)

Starting with Apache* Cordova* CLI 5.1, the security model that uses Domain whitelisting to restrict the access to other domains from the app has changed.  By default, the Cordova apps are configured to allow access to any site, but it is recommended that before you move your app to production you should provide a whitelist of the domains that you want your app to have access to.

Android : Starting with Cordova Android 4.0, security policy is extended through Whitelist Plugin and Content Security Policy. Whitelist plugins uses 3 whitelist tags:

  1. <access> tag for Network Requests
  2. <allow-intent> tag for Intent
  3. <allow-navigation> for Navigation

iOS: iOS whitelist does not use Whitelist Plugin. Cordova iOS version prior to 4.0 used W3C Widget Access specification for domain whitelisting. Starting with Cordova iOS 4.0, the whitelist uses <access> tag as before and also supports other two tags <allow-intent> and <allow-navigation>  as described in Whitelist Plugin. Starting with iOS 9, iOS uses Application Transport Security (ATS) to implement whitelist. Cordova automatically converts <access> and <allow-navigation> tags to appropriate ATS directives. The <access> and <allow-navigation>  tags support additional two new attributes for extra security for a domain whose security attributes you have control over. They have their equivalents in ATS:

  1. minimum-tls-version
  2. requires-forward-secrecy

See the  ATS Technote for more details.

For other platforms, Cordova uses the W3C Widget Access specifications for domain whitelisting.

Starting with Intel XDK version 3088, the interface to select whitelist entries has changed slightly to accommodate changes in Cordova whitelist handling. Please follow rest of this document to understand how to specify whitelist entries in Intel XDK.

Intel XDK 3088 and higher:

Network Request Whitelist (<access>):

Network Request Whitelist controls, which network requests, such as content fetching or AJAX (XHR) etc. are allowed to be made from within the app. For the web views that support CSP,  it is recommended that you use CSP. This whitelist is for the older WebViews that do not support CSP.  This whitelist is defined in the config.xml using <access origin> tag, but once again in Intel® XDK you provide the URL under Build Settings > Android > Cordova CLI 5.4.1 > Whitelist > Cordova Whitelist > Network Request (<access>).  For example: http://mywebsite.com

By default, only request to file:// URLs are allowed, but Cordova applications by default include access to all website. It is recommended that you provide your whitelist before publishing your app.

Networkwhitelist5.4.1

Intent Whitelist (<allow-intent>):

Intent Whitelist controls which URLs the app is allowed to ask the system to open. By default, no external URLs are allowed. This applies to only hyperlinks and calls to window.open(). App can open a browser (for http:// and https:// URLs)  or other apps like phone, sms, email, maps etc. To allow app to launch external apps through URL or launch inAppBrowser through window.open(), <allow-intent> tag is used in config.xml, but again you need not specify this in config.xml, the Intel® XDK takes care of it through Build settings. 

In the Intel® XDK specify the URL you want to whitelist for external applications under Build Settings > Android > Cordova CLI  5.4.1 > Whitelist > Cordova Whitelist > Intent (<allow-intent>). For example http://example.com or tel:* or sms:*

Navigation Whitelist (<allow-navigation>):

Navigation Whitelist controls which URLs the WebView can be navigated to. (Only top level navigations are allowed, with the exception,for Android it applies to iFrames also for non-http(s) schemes.) By default, you can only navigate to file:// URLs. To allow other URLS,  <allow-navigation> tag is used in config.xml file. With the Intel® XDK you need not specify this in config.xml, the Intel XDK automatically generates config.xml from the Build settings.

In the Intel® XDK you specify the URL that you would like the WebView to be navigated to under Build Settings > Android > Cordova CLI 5.4.1 > Whitelist > Cordova Whitelist > Navigation (<allow-navigation>). For example : http://google.com

Additional Whitelist Settings for iOS ATS:

In the Projects tab UI whitelist settings for iOS are same as described above. Additionally, when you click on "Edit ATS settings", you can specify ATS settings for Network Request and Navigation whitelist as follows.

ATS settings:

Windows Platform:

Windows uses W3C Widget Access for whitelisting (that is through <access> tag). Windows 10 supports additional <allow-navigation> tag for navigation whitelist.

Content Security Policy:

Content Security Policy controls, which network requests such as images, AJAX requests (XHR) etc. are allowed to be made via WebView directly. This is specified through meta tags in your html file. It is recommended that you use CSP <meta> tag on all of your pages. Android KitKat onwards supports CSP, but Crosswalk web view supports CSP on all android versions. It is recommended that you use CSP whenever possible.

For example include this in your index.html file.

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap" https://ssl.gstatic.com; style-src 'self''unsafe-inline'; media-src *"><meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">

Intel XDK versions prior to 3088:

Navigation Whitelist :

Navigation Whitelist controls which URLs the WebView can be navigated to. (Only top level navigations are allowed, with the exception,for Android it applies to iFrames also for non-http(s) schemes.) By default, you can only navigate to file:// URLs. To allow other URLS,  <allow-navigation> tag is used in config.xml file. With the Intel® XDK you need not specify this in config.xml, the Intel XDK automatically generates config.xml from the Build settings.

In the Intel® XDK you specify the URL that you would like the WebView to be navigated to under Build Settings > Android > Cordova CLI 5.1.1 > Whitelist > Cordova Whitelist > Navigation. For example : http://google.com

CLI5.1.1AndroidNavigation.png

Intent Whitelist:

Intent Whitelist controls which URLs the app is allowed to ask the system to open. By default, no external URLs are allowed. This applies to only hyperlinks and calls to window.open(). App can open a browser (for http:// and https”// URLs)  or other apps like phone, sms, email, maps etc. To allow app to launch external apps through URL or launch inAppBrowser through window.open(), <allow-intent> tag is used in config.xml, but again you need not specify this in config.xml, the Intel® XDK takes care of it through Build settings. 

In the Intel® XDK specify the URL you want to whitelist for external applications under Build Settings > Android > Cordova CLI  5.1.1 > Whitelist > Cordova Whitelist > Intent. For example http://example.com or tel:* or sms:*

CLI5.1.1AndroidIntent.png

Network Request Whitelist:

Network Request Whitelist controls, which network requests, such as content fetching or AJAX (XHR) etc. are allowed to be made from within the app. For the web views that support CSP,  it is recommended that you use CSP. This whitelist is for the older WebViews that do not support CSP.  This whitelist is defined in the config.xml using <access origin> tag, but once again in Intel® XDK you provide the URL under Build Settings > Android > Cordova CLI 5.1.1 > Whitelist > Cordova Whitelist > Network Request.  For example: http://mywebsite.com

By default, only request to file”// URLs are allowed, but Cordova applications by default include access to all website. It is recommended that you provide your whitelist before publishing your app.

CLI5.1.1AndroidNetwork.png

Content Security Policy:

Content Security Policy controls, which network requests such as images, AJAX requests (XHR) etc. are allowed to be made via WebView directly. This is specified through meta tags in your html file. It is recommended that you use CSP <meta> tag on all of your pages. Android KitKat onwards supports CSP, but Crosswalk web view supports CSP on all android versions.

For example include this in your index.html file.

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap" https://ssl.gstatic.com; style-src 'self''unsafe-inline'; media-src *"><meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">

Important Note: As of Intel® XDK release 2496, Cordova iOS 4.0 is not released yet. So, for iOS W3C Widget Access policy is used. The settings in Intel XDK for whitelisting URLs are as follows.

iOS W3CWidgetAcess CLI 5.1.1

For Microsoft Windows* platforms also, W3C Widget Access standards are used and the build settings for whitelisting are as follows.

iOS W3CWidgetAcess CLI 5.1.1

Cordova CLI 4.1.2

Cordova CLI 4.1.2 is no longer supported by the Intel XDK. Please update to CLI 5.1.1 or CLI 5.4.1.

 


Viewing all articles
Browse latest Browse all 3384

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>