# cordova-plugin-whitelist This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0 :warning: Report issues on the [Apache Cordova issue tracker](https://issues.apache.org/jira/issues/?jql=project%20%3D%20CB%20AND%20status%20in%20%28Open%2C%20%22In%20Progress%22%2C%20Reopened%29%20AND%20resolution%20%3D%20Unresolved%20AND%20component%20%3D%20%22Plugin%20Whitelist%22%20ORDER%20BY%20priority%20DESC%2C%20summary%20ASC%2C%20updatedDate%20DESC) ## Supported Cordova Platforms * Android 4.0.0 or above ## Navigation Whitelist Controls which URLs the WebView itself can be navigated to. Applies to top-level navigations only. Quirks: on Android it also applies to iframes for non-http(s) schemes. By default, navigations only to `file://` URLs, are allowed. To allow others URLs, you must add `` tags to your `config.xml`: ## Intent Whitelist Controls which URLs the app is allowed to ask the system to open. By default, no external URLs are allowed. On Android, this equates to sending an intent of type BROWSEABLE. This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`. In `config.xml`, add `` tags, like this: ## Network Request Whitelist Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks). Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP. In `config.xml`, add `` tags, like this: Without any `` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `` by default. Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP. Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly. ### Content Security Policy Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly). On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `