Domain Whitelist Guide
Overview
Domain whitelisting in Apache Cordova is a security model that controls access to outside domains, such as http://google.com
. The default security policy is to block all network access. The application developer can then declare access to specific network domains and subdomains.
Specification
Domain whitelisting lays the ground work for the W3C Widget Access specification. In the Widget Access specification, the <access>
element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement it's own domain whitelisting.
Syntax
Access to google.com:
http://google.com
Access to the secure google.com (https://
):
https://google.com
Access to the subdomain maps.google.com:
http://maps.google.com
Access to all the subdomains on google.com (e.g. mail.google.com and docs.google.com):
http://*.google.com
Access to all domains (e.g. google.com and developer.mozilla.org):
*
Android
Details
The whitelisting rules are found in res/xml/cordova.xml
and declared with the element <access origin="..." />
.
Android has full support for the whitelisting syntax.
Syntax
Access to google.com:
<access origin="http://google.com" />
Bada
Domain whitelisting is unsupported on Bada. By default, all domains are accessible.
BlackBerry
Details
The whitelisting rules are found in www/config.xml
and declared with the element <access uri="..." />
.
For a complete reference, see the BlackBerry WebWorks Access Element documentation.
Syntax
Access to google.com:
<access uri="http://google.com" subdomains="false" />
Access to maps.google.com:
<access uri="http://maps.google.com" subdomains="false" />
Access to all the subdomains on google.com:
<access uri="http://google.com" subdomains="true" />
Access to all domains, including file://
protocol:
<access uri="*" subdomains="true" />
iOS
Details
- Open
Cordova.plist
.- In Xcode, it is found at
AppName/Supporting Files/Cordova.plist
- In the directory, it is found at
AppName/Cordova.plist
- In Xcode, it is found at
- Add a new
String
value under theExternalHosts
key.- We recommend using Xcode to avoid editing raw XML.
Domain protocols (e.g. http://
and https://
) are not supported by iOS.
Syntax
Access to google.com and the secure google.com (https://
):
google.com
Access to the subdomain maps.google.com:
maps.google.com
Access to all the subdomains on google.com (e.g. mail.google.com and docs.google.com):
*.google.com
Access to all domains (e.g. google.com and developer.mozilla.org):
*
Wildcards on iOS (*
) are more flexible than the W3C Widget Access specification.
Access to all subdomains and TLDs (.com
, .net
, etc):
*.google.*
Symbian
Domain whitelisting is unsupported on Symbian. By default, all domains are accessible.
webOS
Domain whitelisting is unsupported on webOS. By default, all domains are accessible.
Windows Phone
Domain whitelisting is unsupported on Windows Phone. By default, all domains are accessible.