2 Replies Latest reply on Aug 1, 2017 9:35 AM by kerrishotts

    Trying to implement secure Whitelist, but only <access origin="*" /> works

    jamminjames01 Level 1

      I'm trying to set up a more secure app, per the Whitelist suggestions at Whitelist - Apache Cordova, but nothing works except the blanket <access origin="*" /> statement in config.xml.


      All the documentation is very confusing, but as I understand it, building a more secure app means using a less inclusive statement than the above.


      I have one outside source I need to use, but when I make an access statement like:

      <access origin="http://www.example.com/app-images/*" />

      ... the app won't load, as I get a "net::ERR_FILE_NOT_FOUND (file:///android_asset/... )" popup, with the "file" url being longer than that, but that's how it starts. So, the app can't access the files it creates on the device, it seems.


      I tried adding:

      <allow-intent href="file:///android_asset/*" />  and  <allow-navigation href="file:///android_asset/*" />

      ... to see if that would help, but it does not.


      I'm trying to be responsible here, and create a more secure app that doesn't have access to every url, as I assume the <access origin="*" /> allows. But there is no documentation that I can find that explains how to do it very clearly.


      Any help would be appreciated.