I'm trying to set up a more secure app, per the Whitelist suggestions at Whitelist - Apache Cordova, but nothing works except the blanket <access origin="*" /> statement in config.xml.
All the documentation is very confusing, but as I understand it, building a more secure app means using a less inclusive statement than the above.
I have one outside source I need to use, but when I make an access statement like:
<access origin="http://www.example.com/app-images/*" />
... the app won't load, as I get a "net::ERR_FILE_NOT_FOUND (file:///android_asset/... )" popup, with the "file" url being longer than that, but that's how it starts. So, the app can't access the files it creates on the device, it seems.
I tried adding:
<allow-intent href="file:///android_asset/*" /> and <allow-navigation href="file:///android_asset/*" />
... to see if that would help, but it does not.
I'm trying to be responsible here, and create a more secure app that doesn't have access to every url, as I assume the <access origin="*" /> allows. But there is no documentation that I can find that explains how to do it very clearly.
Any help would be appreciated.