Does phonegap/callback/cordova have a whitelist on all platforms? Is it implemented the same way on each?
The whitelist is present on both iOS and Android, but not other platforms yet.
Under iOS, it goes under the name of "External Hosts," which is explained here: http://wiki.phonegap.com/w/page/41631150/PhoneGap%20for%20iOS%20FAQ
Q. Links to and imported files from external hosts don't load?
A. The latest code has the new white-list feature. If you are
referencing external hosts, you will have to add the host in PhoneGap.plist
under the "ExternalHosts" key. Wildcards are ok. So if you are connecting to
"http://phonegap.com", you have to add "phonegap.com" to the list (or use the
wildcard "*.phonegap.com" which will match subdomains as well).
For example:
<key>ExternalHosts</key>
<array>
<string>*</string>
</array>
For Android, the feature is currently undocumented and somewhat buggy, although undergoing fixes. This thread holds some good troubleshooting details: https://groups.google.com/forum/#!topic/phonegap/9NZ4J4l1I-s
In a nutshell, it is the 'access' attribute in xml/phonegap.xml. It uses perl-style regex
To allow all domains (debugging): <access origin=".*"/>
Soon, this may be change to the following syntax:
<access origin="https://example.com" subdomains="true" />
Whitelist on BlackBerry is provided as part of the WebWorks framework
and is configured via config.xml:
https://bdsc.webapps.blackberry.com/html5/documentation/ww_developing/access_element_834677_11.html
The sample project allows access to all URL via the "*" wild card.