Cordova - Whitelist


This plugin allows us to implement whitelist policy for app's navigation. When we create a new Cordova project, the whitelist plugin is installed and implemented by default. You can open the config.xml file to see allow-intent default settings provided by Cordova.

Navigation Whitelist

In the simple example below we are allowing links to some external URL. This code is placed in config.xml. Navigation to file:// URLs is allowed by default.

<allow-navigation href = "*" />

The asterix sign, *, is used to allow navigation to multiple values. In the above example, we are allowing navigation to all sub-domains of the The same can be applied to protocol or prefix to the host.

<allow-navigation href = "*://**" />

Intent Whitelist

There is also the allow-intent element which is used to specify which URLs are allowed to open the system. You can see in the config.xml that Cordova already allowed most of the needed links for us.

Network Request Whitelist

When you look inside config.xml file, there is <access origin="*" /> element. This element allows all network requests to our app via Cordova hooks. If you want to allow only specific requests, you can delete it from the config.xml and set it yourself.

The same principle is used as in previous examples.

<access origin = "" />

This will allow all network requests from

Content Security Policy

You can see the current security policy for your app inside the head element in index.html.

<meta http-equiv = "Content-Security-Policy" content = "default-src 
   'self' data: gap: 'unsafe-eval'; style-src 
   'self' 'unsafe-inline'; media-src *">

This is default configuration. If you want to allow everything from the same origin and, then you can use −

<meta http-equiv = "Content-Security-Policy" content = "default-src 'self'">

You can also allow everything, but restrict CSS and JavaScript to the same origin.

<meta http-equiv = "Content-Security-Policy" content = "default-src *; 
   style-src 'self' 'unsafe-inline'; script-src 'self' 
   'unsafe-inline' 'unsafe-eval'">

Since this is a beginners’ tutorial, we are recommending the default Cordova options. Once you get familiar with Cordova, you can try some different values.