On page 132, I describe how you can use the access element in a Cordova project's config.xml file to control what server endpoints the application can access. By default, the access element is set to:

<access origin="*" />

Which means that the application can access any endpoint. The intent is that access is wide open by default and before the application is published, the developer removes the default setting and replaces it with one or more access elements that the application actually needs. With the correct settings in place here, the application can only access content from the specified sources, and the application is protected (more or less) from malware.

For security reasons, the Cordova team decided that this wasn't enough protection, so they re-architected the security model and implemented this whitelist capability as a core plugin. By default, Cordova applications can now access only file URLs. To access any remote endpoints, the developer (you) will need to add the new Whitelist plugin to your application (the plugin is described here: https://github.com/apache/cordova-plugin-whitelist) and make some different changes to the plugin.xml file.

The plugin.xml file supports new elements that control the whitelist plugin:

<!-- Allow links to jwargo.com -->

<allow-navigation href="http://johnwargo.com/*" />

<!-- Wildcards are allowed for the protocol, as a prefix

     to the host, or as a suffix to the path -->

<allow-navigation href="/*://*.johnwargo.com/*" />

<!-- A wildcard can be used to whitelist the entire network,


<allow-navigation href="/*" />

<!-- The above is equivalent to these three declarations -->

<allow-navigation href="http://*/*" />

<allow-navigation href="https://*/*" />

<allow-navigation href="data:*" />

When you look at the default config.xml created by the Cordova 5 CLI, you'll see that the file includes new settings that allow a developer to identify the external connection types it will allow as well:

<?xml version='1.0' encoding='utf-8'?>

<widget id="com.johnwargo.cdva5" version="0.0.1" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">



       A sample Apache Cordova application that responds to the deviceready event.


   <author email="This email address is being protected from spambots. You need JavaScript enabled to view it." href="http://cordova.io">

       Apache Cordova Team


   <content src="/index.html" />

   <plugin name="cordova-plugin-whitelist" version="1" />

   <access origin="*" />

   <allow-intent href="http://*/*" />

   <allow-intent href="https://*/*" />

   <allow-intent href="tel:*" />

   <allow-intent href="sms:*" />

   <allow-intent href="mailto:*" />

   <allow-intent href="geo:*" />

   <platform name="android">

       <allow-intent href="market:*" />


   <platform name="ios">

       <allow-intent href="itms:*" />

       <allow-intent href="itms-apps:*" />