Domain Whitelist Guide

Overview

Domain whitelisting is a security model that controls access to outside domains, such as http://google.com. Apache Cordova's default security policy allows access to any site. Before moving your application to production, you should review its whitelist and declare access to specific network domains and subdomains.

Specification

Domain whitelisting lays the groundwork for the W3C Widget Access specification. In the Widget Access specification, the <access> element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement its own domain whitelisting.

Syntax

Access to google.com:

http://google.com

Access to the secure google.com (https://):

https://google.com

Access to the subdomain maps.google.com:

http://maps.google.com

Access to all the subdomains on google.com (e.g., mail.google.com and docs.google.com):

http://*.google.com

Access to all domains (e.g., google.com and developer.mozilla.org):

*

Android

Details

The whitelisting rules are found in res/xml/config.xml and declared with the element <access origin="..." />.

Android fully supports whitelisting syntax.

Syntax

Access to google.com:

<access origin="http://google.com" />

BlackBerry

Details

The whitelisting rules are found in www/config.xml and declared with the element <access uri="..." />.

For a complete reference, see the BlackBerry WebWorks Access Element documentation.

Syntax

Access to google.com:

<access uri="http://google.com" subdomains="false" />

Access to maps.google.com:

<access uri="http://maps.google.com" subdomains="false" />

Access to all the subdomains on google.com:

<access uri="http://google.com" subdomains="true" />

Access to all domains, including file:// protocol:

<access uri="*" subdomains="true" />

iOS

Details

The whitelisting rules are found in AppName/config.xml and declared with the element <access origin="..." />.

iOS fully supports whitelisting syntax.

NOTE: origins specified without a protocol, such as www.apache.org rather than http://www.apache.org, default to all of the http, https, ftp, and ftps schemes.

Syntax

Wildcards on iOS (*) are more flexible than the W3C Widget Access specification.

Access to all subdomains and TLDs (.com, .net, etc):

*.google.*

Windows Phone (7 & 8)

The whitelisting rules are found in config.xml and declared with the element <access origin="..." />.

Android fully supports whitelisting syntax.

Syntax

Access to google.com:

<access origin="http://google.com" />

Tizen

Details

The application root directory's config.xml file specifies domain whitelisting rules, using the <access origin="..." /> element. For a complete reference, see the [Tizen Accessing External Network Resources documentation][10].

Syntax

Access to google.com:

<access origin="http://google.com" subdomains="false" />

Access to the secure google.com (https://):

<access origin="https://google.com" subdomains="false" />

Access to all the subdomains on google.com:

<access origin="http://google.com" subdomains="true" />

Access to all domains, including file:// protocol:

<access origin="*" subdomains="true" />