I'm upgrading some projects from old Cordova versions 2.x and 3.x to the last version 5.1. I'm forced to do this because Google Play will take hostage pre-4.1.1 Cordova Apps in May (no new submissions and no updates to existing apps).
The legacy projects I'm upgrading had all URLs allowed in the whitelist. The page I'm loading in the WebView is included in the apk assets, but it is critical for the operation to make ajax calls to some remote resource URLs. These resources were published by client companies in all sorts of domains, and since there were thousands of them whitelisting was impractical.
Now with Cordova >4 you have to download the whitelist plugin whether you like it or not. In the new config.xml file I have:
<allow-navigation href="*" />
<allow-intent href="*" />
<access origin="*" />
But this doesn't seem enough. There's some warning in logcat about having to modify my HTML to include a Content Security Policy.
So I added this to my page:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
And now I have a problem because the legacy apps are compatible with JellyBean devices, but the whitelist plugin CSP feature is only supported in KitKat devices.
Nevertheless I've tested the upgraded apps in a Lollipop device and ajax calls keep being blocked.
Is there a way to whitelist all possible domains without using CSP, so that I can run my apps in JellyBean?
If not, what would be the least restrictive Content Security Police? Apparently a wildcard does not work.
I just found the answer myself.
Yes, it is possible to whitelist whithout using the CSP feature. Just adding these wildcards to the res/xml/config.xml file is enough:
<allow-navigation href="*" />
<access origin="*" />
My problem was a different one. The whitelist plugin's js and java files were present, but when upgrading the config file to the new format I forgot to add the feature for it:
<feature name="Whitelist">
<param name="android-package" value="org.apache.cordova.whitelist.WhitelistPlugin" />
<param name="onload" value="true" />
</feature>
NOTE TO ALL This answer does NOT work for CLI. <feature> in this context is meant for SDK and those using an IDE. See Documentation The feature Element
Quote:
If you use the CLI to build applications, you use the plugin command to enable device APIs. This does not modify the top-level config.xml file, so the
<feature>element does not apply to your workflow.If you work directly in an SDK and using the platform-specific config.xml file as source, you use the
<feature>tag to enable device-level APIs and external plugins. They often appear with custom values in platform-specific config.xml files.