license: Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Domain whitelisting in Apache Cordova is a security model that controls access to outside domains, such as http://google.com
. The default security policy is to block all network access. The application developer can then delcare access to specific network domains and subdomains.
Domain whitelisting lays the ground work for the W3C Widget Access specification. In the Widget Access specification, the <access>
element is used to declare access to specific network domains. In the future, Apache Cordova will abstract the platform whitelisting implementations to the W3C Widget Access specification. However, for now each platform must implement it's own domain whitelisting.
Access to google.com:
http://google.com
Access to the secure google.com (https://
):
https://google.com
Access to the subdomain maps.google.com:
http://maps.google.com
Access to all the subdomains on google.com (e.g. mail.google.com and docs.google.com):
http://*.google.com
Access to all domains (e.g. google.com and developer.mozilla.org):
*
The access rules are found in cordova.xml in res/xml/cordova.xml. These rules follow the W3C Widget Access specification such that the access elements control the whitelist. For example:
<access origin="http://127.0.0.1*"/>
For the value of the String, just include the hostname / IP Address of the URL only without the scheme or the path of the URL.
For example, if you have a URL like this: http://my.phonegap.com:443?is_awesome=yes, the whitelist value would be:
my.phonegap.com
You can also use wildcards in the value. For example, if you want to allow all subdomains, you would use this value:
*.phonegap.com
Similarly, if you want to allow all TLDs also (.com, .net, etc) you would do this:
*.phonegap.*
To allow all domains, you would just add ** “*” ** like so, this will effectively turn off the whitelist:
*