I am trying to get PhoneGap 2.4.0 FileTransfer working on Android 4.2.
I get a Logcat warning message saying:
The Source URL is not in white list: 'http://api.etc.com'
Inside my res/xml/cordova.xml I have
<access origin=".*" subdomains="true"/>
This is supposed to whitelist all URL's but no luck, I still get the same warning and FileTransfer error 3.
Any ideas? Can I check if cordova.xml is being parsed at all?
Edit: I'm using a CordovaWebView.
If you are not using DroidGap, you need:
Config.init(this);
In the onCreate of your activity. Otherwise, all whitelisting will fail. Just found this out after two hours of painful digging.
It should work if you change your XML to:
<access origin="*" subdomains="true"/>
This white-lists basically the entire internet. If you only want to white-list your domain, use something more specific. See details here:
http://docs.phonegap.com/en/2.4.0/guide_whitelist_index.md.html
The "origin" attribute is now "uri".
I managed to fix the problem by using PhoneGap 1.9.0 instead of 2.4.0. The errors return when using later versions.
I also managed to get it working by not using CordovaWebView but by using PhoneGap build. But this isn't viable in my case.
If you are using wild card in the whitelist URL configuration, don't use subdomain property.
Looks like you have to be very specific in how you write the tags in config.xml especially when it comes to allowing subdomains - apparently specifying subdomains does not work with wildcards so you need two blocks of tags.
<access origin="*.google.com" />
<access origin="*.googleapis.com" />
<access origin="*.gstatic.com" />
<access origin="*.googleusercontent.com" />
<access origin="google.com" subdomains="true"/>
<access origin="googleapis.com" subdomains="true"/>
<access origin="gstatic.com" subdomains="true"/>
<access origin="googleusercontent.com" subdomains="true"/>
Related
create an app on cordova and I'm using Framework7. In this application, consult a web server that returns some data to me, including a link to download a pdf material, but I'm getting an error message because I don't have permission to download it includes the website address on the access source at config.xml.
I have the cordova-plugin-whitelist plugin installed and in config.xml I configured the following
<access origin = "https://www.mysite.com.br/download/" />
<allow-intent href = "https://www.mysite.com.br/download/" />
I have already followed several recommendations from other forums, but nothing works.
I always receive the following message: net :: ERR_FAILED (https://www.mysite.com.br/download/myname.pdf)
Could someone help me solve this problem that I have been facing for 2 months.
thanks
You can try to solve by creating a more general rule as:
<widget ...>
<access origin="www.mysite.com.br/" />
<access origin="www.mysite.com.br/" />
<allow-intent href="http://www.mysite.com.br/*/*" />
<allow-intent href="https://www.mysite.com.br/*/*" />
</widget>
and a Content Security Policy as
<meta http-equiv="Content-Security-Policy" content="default-src 'self' mysite.com.br">
Take care on the position of files (.htaccess rewrite rules could make you have a hard day ifyou don't check them). I'm quite sure you just check the presence of external class on your link in HTML, isn't it?
I'm using Cordova 7.0.1, and trying to set the contents of an iframe using a generated blob: url, but the result is an empty iframe, and no console errors.
If I disable blob: urls in the content security policy, I get an error as I would expect. So I'm fairly confident my problem is not the CSP.
I've also whitelisted * in config.xml to no avail:
<allow-navigation href="*" />
<allow-intent href="*" />
Constructing a data: url works. Why doesn't blob:?
Ages ago, probably with Cordova 5, I had this working. Is this no longer permitted? Is there a way to allow it again, or an alternative method?
To allow blob scheme, we have to set the following in config.xml:
<allow-navigation href="blob:*" />
More info on this is available on Issue:CB9558 under official apache cordova issue tracker.
I have tried this method and it is working perfevtly in Android but not in IOS
Call
And in my config.xml file
<access origin="tel:*" launch-external="yes" />
the above method is tested in real devices and it is working only for android, is there any other method to make it work in IOS
This method worked for me in IOS
<div onclick="window.open('tel:7795713372', '_system', 'location=yes')">Call me</div>
Also you need to install cordova inapp browser plugin. And need to whitelist the request in config.xml by adding whitelist plugin.
Use below code to make it work
Call me
For your code to work on IOS you need to add in the config.xml
<allow-navigation href="tel:*" />
Doing this breaks the functionality on android so make sure to add it inside
<platform name="ios">
To work on IOS you need to add in the config.xml
in .js
window.open('tel:' + number, '_system');
This is driving me crazy. I'm working on a Ionic app (Cordova, Angular etc). I have a contact us link which contains a mailto: href
href="mailto:info#somedomain.net?subject=my%20App"
I've read countless posts on SO that say you have to remove
<access origin="*"/>
from the config.xml in the project root and replace it with:
<access origin="mailto:*" launch-external="true" />
Which I've done. When I run ionic build it gets added to the config.xml in platforms/android/res/xml. But no matter what I do the link doesn't open the mail app on any Android simulator (even when email is configured in the simulator).
Sadly I don't have a device to test on - so is this just a emulator thing or am I missing something?
You must install the cordova plugin whitelist:
cordova plugin add cordova-plugin-whitelist
or if you want to save the reference to your config.xml file:
cordova plugin add cordova-plugin-whitelist --save
and that you have to add the intent to your config.xml file:
<allow-intent href="mailto:*" />
You can find more info here.
Try this:
window.location.href = "mailto:your#ema.il?subject=Works on iOS too";
I just solved this thanks to the responses & articles above. I'm not sure what has or hasn't changed since the above postings, but for the reference of others; I now have http://, https://, tel:, & mailto: working with only the inappbrowser plugin installed and no manual edits to config.xml needed. I did everything mentioned above & it still wasn't working, so I started fiddling and found that I the window.open() call requires the second parameter of "_system" to work correctly (it tried to use the browser and "navigate" to http://mailto:xxx... without the "_system" flag).
However, for curiousity's sake, I uninstalled the whitelist plugin and removed the manual edits in config.xml and it still works.
Notes:
-I don't remember all the variations I tried, but onclick couldn't access the Ionic/Angular/Cordova scope(s), so I stuck with ng-click.
-I did not / have not tried using href="..." with any of the options.
(If I remember, I'll test them and update this to reflec my results.)
So, with only the cordova-plugin-inappbrowser installed and no config.xml edits, here are my working / tested solutions:
ng-click="window.open('http://somesite.com', '_system')"
ng-click="window.open('https://google.com', '_system')"
ng-click="window.open('tel:(123) 345-4567')"
ng-click="window.open('mailto:email#example.com', '_system')"
Tested 9/20/2016 Using:
HTC One M8, android 6 ,cordova v6.3.1, cordova-plugin-inappbrowser v1.5.0, ionic v2.0.0, jdk1.8.0_101, android SDKs 21, 23, & 24 installed
what if you replace "true" with "yes"... I use this in my app and it works.
<access origin="tel:*" launch-external="yes"/>
Ran into this today and noticed something that affected mailto, but not tel, links:
In addition to adding the intent to the cordova config as described by dave's answer
<allow-intent href="mailto:*" />
I also had to allow mailto links in the csp header of my page
<meta http-equiv="Content-Security-Policy" content="default-src 'self' mailto:*">
Didn't see any documentation around this behaviour of CSP headers.
Just in addition to use Cordova's WhiteListPlugin ;
It worked for me in this way:
in config.xml
<access origin="*"/>
<access origin="mailto:*" launch-external="true" />
<allow-intent href="mailto:*" launch-external="yes"/>
And specially for ios add :
<platform name="ios">
<allow-navigation href="mailto:*" launch-external="yes"/>
...
<platform name="ios">
Altering Cordova's WhiteListPlugin in config.xml did not work for me -- <access >,`. I tried many combinations, including those above. Doesn't mean these won't work necessarily, just for my setup it doesn't. (Building for Browser, Android, and iOS)
However, using the Cordova InAppBrowser Plugin worked:
As mentioned above, use the inAppBrowser plugin and set the target to _system.
This by passes the issues I was seeing in iOS with unsupported url, and launches the native systems web browser (i.e., Does not rely on WhiteListPlugin to allow the URL call).
Hope this helps.
Cordova version 6.3.1.
I recently upgraded my cordova based Android app from 3.5.0 to 3.6.3. The special links "tel", "sms", and "mailto" stopped working. When clicked, nothing happens. Is there anything I can do in the AndroidManifest.xml, or Confix.xml or anything else to get them back working?
I built two identical and very simple android apps to prove my suspicion, one with cordova 3.5.0 and one with 3.6.3. Both of them have a simple link:
Call
The first one works, the second one doesn't work.
I think they added a security feature that blocks intents somehow.
PS: both apps built like this:
cordova create app com.tmp.app "App"
cordova platform add android
and in index.html, I added the telephone link above on the device ready block.
Please help.
I finally found the answer. All you have to do is add the following to config.xml:
<access origin="tel:*" launch-external="yes"/>
<access origin="geo:*" launch-external="yes"/>
<access origin="mailto:*" launch-external="yes"/>
<access origin="sms:*" launch-external="yes"/>
<access origin="market:*" launch-external="yes"/>
It all started by IBM!!!
IBM Cordova Security Issues
I had an App built on 3.5.1 version and all special links were working fine. But when i upgraded on the latest version 3.6.3 then they did not work.
So I made below changes in the code and now they works fine.
Add InAppBrowser plugin
cordova plugin add org.apache.cordova.inappbrowser
Create custom function in your JS file to open special links within the InApp browser
var app = {
initialize: function() {
this.bindEvents();
},
bindEvents: function() {
document.addEventListener('deviceready', this.onDeviceReady, false);
},
onDeviceReady: function() {
app.receivedEvent('deviceready');
},
openNativeAppWindow: function(data) {
window.open(data, '_system');
}
};
The place where you are invoking special links like sms or tel then
pass on your custom url with data and let it open the native browser
window which in turn will push the native App to handle the special
urls.
Few example:
<br><br><input type="button" onClick="app.openNativeAppWindow('http://google.com')" value="Open Google"/>
<br><br><a onClick="app.openNativeAppWindow('geo://0,0?q=dallas')" data-rel="external">google maps</a>
<br><br><a onClick="app.openNativeAppWindow('geo:0,0?q=Bacau')">Geolocation Test</a>
<br><br><a onClick="app.openNativeAppWindow('geo:0,0?q=34.99,-106.61(Treasure)')">longitude & latitude with a string label</a>
<br><br><a onClick="app.openNativeAppWindow('geo:0,0?q=1600+Amphitheatre+Parkway%2C+CA')">street address Test</a>
<br><br><a onClick="app.openNativeAppWindow('sms:2125551212')">SMS</a>
<br><br><a onClick="app.openNativeAppWindow('mms:2125551212')">MMS</a>
<br><br><a onClick="app.openNativeAppWindow('tel:2125551212')">Open Phone Dialer</a>
As of Cordova 4.0 you must include the whitelist plugin.
<gap:plugin name="cordova-plugin-whitelist" source="npm" />
<allow-intent href="tel:*" />
https://github.com/apache/cordova-plugin-whitelist
Modify the Cordova whitelist
One of the security fixes involves creating a new whitelist for non http/s protocols. If your application uses other protocols besides http:// and https://, such as sms:, mailto:, geo:,tel: etc., then you will need to make some configuration changes to add these protocols to the whitelist.
This is easy to do:
Open up the Cordova config.xml file, located at: yourProject --> apps --> yourProject --> android --> native --> res --> xml --> config.xml. Note: If you have a file located at yourProject --> apps --> yourProject --> android --> nativeResources --> res --> xml, you will have to make the changes to this file (under the nativeResources folder) instead, since if this file exists, it will overwrite the config.xml in /native/ folder when the app is rebuilt.
Scroll to your whitelist entries. You should see items listed like this:
<access origin="https://my.company.com/resources" />
<access origin="http://*.othersupplier.com" />
For every non http/https protocol that you use, you will have to add a whitelist entry like this:
<access origin="sms://*" launch-external="true" />
<access origin="mailto://*" launch-external="true" />
The launch-external attribute will tell Cordova to allow this URL to be handled by other applications in Android system - not by the currently running Cordova/Worklight application.
This will mean that when a user clicks on a <a href="sms:555..."> link, Android will let whatever application is registered to sms: handle the request.
If the only entry that is in your whitelist looks like this:
<access origin="*" />
then your application will allow resource requests to any internet resource, which could open your application to certain kinds of attacks.
You should list specific domains in this tag that you want to be able to access.
If your whitelist looks like this:
<access origin="https://www.ibm.com" />
<access origin="https://my-worklight-server.company.com" />
and inside your application you utilize the mailto: protocol to open a user's email client, and the geo: protocol to display a map, then you should modify the whitelist to look like:
<access origin="https://www.ibm.com" />
<access origin="https://my-worklight-server.company.com" />
<access origin="mailto://*" launch-external="true" />
<access origin="geo://*" launch-external="true" />
HTML :
Call
Add to file "config.xml" :
<access origin="tel:*" launch-external="yes"/>
source :
https://www.ibm.com/developerworks/community/blogs/worklight/entry/action_required_cordova_android_security_update?lang=en`
If you have these lines in your config.xml, then comment them out.
<!--<allow-navigation href="*" />
<allow-navigation href="*://*" />-->