What is the state of whitelisting in phonegap 1.3.0?

Peter Ehrlich picture Peter Ehrlich · Jan 17, 2012 · Viewed 9.3k times · Source

Does phonegap/callback/cordova have a whitelist on all platforms? Is it implemented the same way on each?

Answer

Peter Ehrlich picture Peter Ehrlich · Jan 17, 2012

The whitelist is present on both iOS and Android, but not other platforms yet.

Under iOS, it goes under the name of "External Hosts," which is explained here: http://wiki.phonegap.com/w/page/41631150/PhoneGap%20for%20iOS%20FAQ

Q. Links to and imported files from external hosts don't load?
A. The latest code has the new white-list feature. If you are 
referencing external hosts, you will have to add the host in PhoneGap.plist 
under the "ExternalHosts" key. Wildcards are ok. So if you are connecting to
"http://phonegap.com", you have to add "phonegap.com" to the list (or use the 
wildcard "*.phonegap.com" which will match subdomains as well).

For example:

<key>ExternalHosts</key>
<array>
    <string>*</string>
</array>


For Android, the feature is currently undocumented and somewhat buggy, although undergoing fixes. This thread holds some good troubleshooting details: https://groups.google.com/forum/#!topic/phonegap/9NZ4J4l1I-s

In a nutshell, it is the 'access' attribute in xml/phonegap.xml. It uses perl-style regex

To allow all domains (debugging): <access origin=".*"/> 

Soon, this may be change to the following syntax:

<access origin="https://example.com" subdomains="true" />


Whitelist on BlackBerry is provided as part of the WebWorks framework and is configured via config.xml:

https://bdsc.webapps.blackberry.com/html5/documentation/ww_developing/access_element_834677_11.html

The sample project allows access to all URL via the "*" wild card.