Cordova – the state of whitelisting in phonegap 1.3.0

callback, cordova, mobile, whitelist

Does phonegap/callback/cordova have a whitelist on all platforms? Is it implemented the same way on each?

Best Solution

The whitelist is present on both iOS and Android, but not other platforms yet.

Under iOS, it goes under the name of "External Hosts," which is explained here: http://wiki.phonegap.com/w/page/41631150/PhoneGap%20for%20iOS%20FAQ

Q. Links to and imported files from external hosts don't load?A. The latest code has the new white-list feature. If you are referencing external hosts, you will have to add the host in PhoneGap.plist under the "ExternalHosts" key. Wildcards are ok. So if you are connecting to"http://phonegap.com", you have to add "phonegap.com" to the list (or use the wildcard "*.phonegap.com" which will match subdomains as well).

For example:

<key>ExternalHosts</key><array>    <string>*</string></array>


For Android, the feature is currently undocumented and somewhat buggy, although undergoing fixes. This thread holds some good troubleshooting details: https://groups.google.com/forum/#!topic/phonegap/9NZ4J4l1I-s

In a nutshell, it is the 'access' attribute in xml/phonegap.xml. It uses perl-style regex

To allow all domains (debugging): <access origin=".*"/> 

Soon, this may be change to the following syntax:

<access origin="https://example.com" subdomains="true" />


Whitelist on BlackBerry is provided as part of the WebWorks frameworkand is configured via config.xml:

https://bdsc.webapps.blackberry.com/html5/documentation/ww_developing/access_element_834677_11.html

The sample project allows access to all URL via the "*" wild card.