cordova-plugin-whitelist working on Android but not iOS (Phonegap Build)

6
votes

I'm working on a JavaScript app wrapped in Cordova and built with Phonegap Build. We're including cordova-plugin-whitelist from npm in our build and have added <access origin="*" /> to our config.xml and an open CSP (<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">) in our index.html. The app works fine on Android and talks to our server without issues, but on iOS all requests fail immediately as if the whitelist plugin isn't letting traffic through.

I've tried a number of different build configurations in case something broke in a particular version of Cordova, but haven't been able to get this to work at all. I've had a similar issue with other Phonegap/Cordova apps in the past but was able to solve it with the whitelist plugin/CSP/access rule.

This issue has also been difficult to debug since the Safari Developer Tools won't connect to the iOS device and I'm having to alert the responses I'm seeing. It looks like the response coming back has a status code 0 and an empty body, which I'm assuming just means unreachable.

2
androidioscordovaphonegap-buildcordova-plugins

2 Answers

4
votes

You may well need to set the connect-src in your Content-Security-Policy, for example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; connect-src http://YOUR_HOST">

Additionally for Xcode 7 / iOS 9 you will need to adjust the ATS settings to allow connections to non https backends if you aren't using SSL:

Here's a working example of the change to your app's info .plist:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

(Note you can also configure this to selectively allow non https connections).

And here's a script you could use as a pre build hook for iOS to do this automatically:

#!/bin/bash
echo "Adjusting plist for App Transport Security exception."
val=$(/usr/libexec/plistbuddy -c "add NSAppTransportSecurity:NSAllowsArbitraryLoads bool true" platforms/ios/PROJECTNAME/PROJECTNAME-Info.plist 2>/dev/null) echo "Done"

Just swap out PROJECTNAME for the name of your project.

0
votes

Change your access tag to:

<access origin="https://yourdomain.com" requires-certificate-transparency='false' allows-arbitrary-loads-in-web-content='true'/>

It will update the Info.Plist file accordingly in the NsAppTransportSecurity entry.

Source: https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/#ios-whitelisting