Cordova Whitelist - URL 404 error

0
votes

Attempting to access a URL to fetch data in a Cordova app but receiving a 404 error. The log displays URL blocked by whitelist: http://urlhere.

I've installed the whitelist plugin, added in the /platforms/android/config.xml file, and http://urlhere; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> in the html file.

Running in Android Studio 2.2.3.

1
cordovahttp-status-code-404whitelist

1 Answers

0
votes

This plugin allows us to implement whitelist policy for app's navigation.When we create new Cordova project, the whitelist plugin is installed and implemented by default. You can open the config.xml file to see allow-intent default settings provided by Cordova.

Navigation Whitelist

Navigation to file:// URLs is allowed by default.

<allow-navigation href = "http://example.com/*" />

The asterix sign, *, is used to allow navigation to multiple values. In above example we are allowing navigation to all sub domains of the example.com. The same can be applied to protocol or prefix to the host.

<allow-navigation href = "*://*.example.com/*" />

Intent Whitelist

There is also allow-intent element which is used to specify which URLs are allowed to open the system. You can see in the config.xml that Cordova already allowed most of the needed links for us.

Network Request Whitelist

When you look inside config.xml file, there is <access origin="*" /> element. This element allows all network requests to our app via Cordova hooks. If you want to allow only specific requests, you can delete it from the config.xml and set it yourself.

The same principle is used as in previous examples.

<access origin = "http://example.com" />

This will allow all network requests from http://example.com.

Content Security Policy

You can see current security policy for your app inside head element in index.html

<meta http-equiv = "Content-Security-Policy" content = "default-src 
   'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 
   'self' 'unsafe-inline'; media-src *">

This is default configuration. If you want to allow everything from the same origin and example.com you can use −

<meta http-equiv = "Content-Security-Policy" content = "default-src 'self' foo.com">

You can also allow everything, but restrict CSS and JavaScript to the same origin.

<meta http-equiv = "Content-Security-Policy" content = "default-src *; 
   style-src 'self' 'unsafe-inline'; script-src 'self' 
   'unsafe-inline' 'unsafe-eval'">