What is the state of whitelisting in phonegap 1.3.0?

The whitelist is present on both iOS and Android, but not other platforms yet.

Under iOS, it goes under the name of “External Hosts,” which is explained here: http://wiki.phonegap.com/w/page/41631150/PhoneGap%20for%20iOS%20FAQ

Q. Links to and imported files from external hosts don't load?
A. The latest code has the new white-list feature. If you are 
referencing external hosts, you will have to add the host in PhoneGap.plist 
under the "ExternalHosts" key. Wildcards are ok. So if you are connecting to
"http://phonegap.com", you have to add "phonegap.com" to the list (or use the 
wildcard "*.phonegap.com" which will match subdomains as well).

For example:


For Android, the feature is currently undocumented and somewhat buggy, although undergoing fixes. This thread holds some good troubleshooting details: https://groups.google.com/forum/#!topic/phonegap/9NZ4J4l1I-s

In a nutshell, it is the ‘access’ attribute in xml/phonegap.xml. It uses perl-style regex

To allow all domains (debugging): <access origin=".*"/> 

Soon, this may be change to the following syntax:

<access origin="https://example.com" subdomains="true" />

Whitelist on BlackBerry is provided as part of the WebWorks framework
and is configured via config.xml:


The sample project allows access to all URL via the “*” wild card.

Leave a Comment