license: Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Domain whitelisting is a security model that controls access to outside domains, such as http://google.com
. Apache Cordova's default security policy allows access to any site. Before moving your application to production, you should review its whitelist and declare access to specific network domains and subdomains.
Domain whitelisting lays the groundwork for the W3C Widget Access specification. In the Widget Access specification, the <access>
element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement its own domain whitelisting.
Access to google.com:
http://google.com
Access to the secure google.com (https://
):
https://google.com
Access to the subdomain maps.google.com:
http://maps.google.com
Access to all the subdomains on google.com (e.g. mail.google.com and docs.google.com):
http://*.google.com
Access to all domains (e.g. google.com and developer.mozilla.org):
*
The whitelisting rules are found in res/xml/config.xml
and declared with the element <access origin="..." />
.
Android fully supports whitelisting syntax.
Access to google.com:
<access origin="http://google.com" />
The whitelisting rules are found in www/config.xml
and declared with the element <access uri="..." />
.
For a complete reference, see the BlackBerry WebWorks Access Element documentation.
Access to google.com:
<access uri="http://google.com" subdomains="false" />
Access to maps.google.com:
<access uri="http://maps.google.com" subdomains="false" />
Access to all the subdomains on google.com:
<access uri="http://google.com" subdomains="true" />
Access to all domains, including file://
protocol:
<access uri="*" subdomains="true" />
The whitelisting rules are found in AppName/config.xml
and declared with the element <access origin="..." />
.
iOS fully supports whitelisting syntax.
NOTE: origins specified without a protocol, such as www.apache.org
rather than http://www.apache.org
, default to all of the http
, https
, ftp
, and ftps
schemes.
Wildcards on iOS (*
) are more flexible than the W3C Widget Access specification.
Access to all subdomains and TLDs (.com
, .net
, etc):
*.google.*
The whitelisting rules are found in config.xml
and declared with the element <access origin="..." />
.
Android fully supports whitelisting syntax.
Access to google.com:
<access origin="http://google.com" />
The application root directory's config.xml
file specifies domain whitelisting rules, using the <access origin="..." />
element. For a complete reference, see the [Tizen Accessing External Network Resources documentation][10].
Access to google.com:
<access origin="http://google.com" subdomains="false" />
Access to the secure google.com (https://
):
<access origin="https://google.com" subdomains="false" />
Access to all the subdomains on google.com:
<access origin="http://google.com" subdomains="true" />
Access to all domains, including file://
protocol:
<access origin="*" subdomains="true" />