Domain Whitelist Guide

Overview

Domain whitelisting in Apache Cordova is a security model that controls access to outside domains, such as http://google.com.

The default security policy is to allow all network access. Before moving your application to production, it is advised to review your application's whitelist. The application developer is encouraged to declare access to specific network domains and subdomains.

Specification

Domain whitelisting lays the ground work for the W3C Widget Access specification. In the Widget Access specification, the <access> element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement it's own domain whitelisting.

Syntax

Access to google.com:

http://google.com

Access to the secure google.com (https://):

https://google.com

Access to the subdomain maps.google.com:

http://maps.google.com

Access to all the subdomains on google.com (e.g. mail.google.com and docs.google.com):

http://*.google.com

Access to all domains (e.g. google.com and developer.mozilla.org):

*

Android

Details

The whitelisting rules are found in res/xml/config.xml and declared with the element <access origin="..." />.

Android has full support for the whitelisting syntax.

Syntax

Access to google.com:

<access origin="http://google.com" />

Bada

Domain whitelisting is unsupported on Bada. By default, all domains are accessible.

BlackBerry

Details

The whitelisting rules are found in www/config.xml and declared with the element <access uri="..." />.

For a complete reference, see the BlackBerry WebWorks Access Element documentation.

Syntax

Access to google.com:

<access uri="http://google.com" subdomains="false" />

Access to maps.google.com:

<access uri="http://maps.google.com" subdomains="false" />

Access to all the subdomains on google.com:

<access uri="http://google.com" subdomains="true" />

Access to all domains, including file:// protocol:

<access uri="*" subdomains="true" />

iOS

Details

The whitelisting rules are found in AppName/config.xml and declared with the element <access origin="..." />.

iOS has full support for the whitelisting syntax.

Note: origins specified without a protocol (i.e. www.apache.org instead of http://www.apache.org) will default to all of http, https, ftp, and ftps.

Syntax

Wildcards on iOS (*) are more flexible than the W3C Widget Access specification.

Access to all subdomains and TLDs (.com, .net, etc):

*.google.*

Symbian

Domain whitelisting is unsupported on Symbian. By default, all domains are accessible.

webOS

Domain whitelisting is unsupported on webOS. By default, all domains are accessible.

Windows Phone (7 & 8)

The whitelisting rules are found in config.xml and declared with the element <access origin="..." />.

Android has full support for the whitelisting syntax.

Syntax

Access to google.com:

<access origin="http://google.com" />

Tizen

Details

The domain whitelisting rules are found in config.xml located in your application root directory. They are declared with the element <access origin="..." />. For a complete reference, see the [Tizen Accessing External Network Resources documentation][10].

Syntax

Access to google.com:

<access origin="http://google.com" subdomains="false" />

Access to the secure google.com (https://):

<access origin="https://google.com" subdomains="false" />

Access to all the subdomains on google.com:

<access origin="http://google.com" subdomains="true" />

Access to all domains, including file:// protocol:

<access origin="*" subdomains="true" />