[Important] PhoneGap 3.6.3 Whitelisting Change

  • 1
  • Announcement
  • Updated 6 years ago
It was recently brought to our attention that Android apps built with Phonegap 3.6.3 on Build were not obeying whitelisting. In addition to your specifed whitelists, Build was also including the following:

<access origin="http://*/*"/>
<access origin="https://*/*"/>


We've now fixed this issue, but it may affect some apps behaviour if they were not correctly specifying their accessible domains. So if you're suddenly seeing failed requests in your app, check your whitelists. If you don't specify a whitelist in your config.xml, the defaults in the Cordova template will be used (all access).

FYI, this was a result of this change in Apache Cordova Android.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes

Posted 6 years ago

  • 1
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Also noteworthy is that the following url scheme whitelists were being included by default:

<access origin="tel:*" launch-external="yes"/>
<access origin="geo:*" launch-external="yes"/>
<access origin="mailto:*" launch-external="yes"/>
<access origin="sms:*" launch-external="yes"/>
<access origin="market:*" launch-external="yes"/>


These are now removed if you specify your own whitelist -- you'll need to specify them yourself in your config.xml if you want them present.
Photo of Amir

Amir

  • 8261 Posts
  • 263 Reply Likes
Thanks Ryan

Possible related (not-merge)
https://getsatisfaction.com/nitobi/to...
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
Hey Ryan,

I've added in the new access nodes to the config file that you noted in your initial post. I am still having issues on certain androids with the whitelisting of my url that I am making webservice calls to. The app worked fine a couple weeks ago, and still works great on iOS and some Android. Would really like it to work on all Androids :).

Please advise.

Thanks.
Photo of Petra V.

Petra V., Champion

  • 7794 Posts
  • 1391 Reply Likes
Poor Ryan!
Now, he will have to find "certain androids" in wich unspecified "issues" occur, hoping that you really included the access nodes exactly as described, without knowing which "the app" with "my url" you are referring to.

You are aware that helpdesk crews absolutely love mystery meat, right?
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
Hey Petra,

Sorry that your having problems retaining the topic of the initial post. The "issue" this post is discussing is obviously about a whitelisting change that is effecting Androids ability to access specified domains. They obviously found something and its obviously not completely fixed yet.

One of the devices still posing an issue is the Motorola DROID Mini.
App ID is #1003200.

If you felt my post needed to be more descriptive you could have just said. Trying to be snide just makes you look like the fool.

Thanks for your input.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
Hi Dustin,

I'd suggest that you start by removing all of your whitelists, in which case the wildcard will be used which should allow all access. Do you still see your issue? If so, what error code do you see in your response?

Also, when providing your App ID, please also provide reproduction steps in your app, so that we can reproduce your problematic request. You can send to build at phonegap.com if you want.
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
So do you want me to leave only this:

<access origin="*" />

or this:

<access origin="*" />
<access origin="http://*/*"/>
<access origin="https://*/*"/>


Thanks for the advice. I'll shoot an email with reproduction steps now.
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
What version of Android is running on your problematic device?

Try the full wildcard:

<access origin="*" />


And then run the request again. What is the status code of the response?

Tip: use remote debugging with chrome rather than alerts.
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
The Android version is 4.4, Kitkat.

Will give it anther try now and let you know how it goes.

Thanks for the tip.
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
Ok same issue. Error code is 0.
Photo of Dustin Cooper

Dustin Cooper

  • 27 Posts
  • 8 Reply Likes
bump
Photo of ryan

ryan, Developer

  • 1538 Posts
  • 132 Reply Likes
I'm unable to reproduce, so this is tough for me to debug. But here are some suggestions:

Is only this request failing? Or do requests to all domains fail? Launch your app and try this in the Chrome dev tools console:

$.ajax({
url: 'http://www.nhl.com',
success: function(data, textStatus ) {
console.log('success!');
}
});


Same error?

Also, I don't think GETJSONP is a valid request type, though I would assume that this would default to GET so I don't think its the problem, but its a shot in the dark.

Try some other random requests, with and without JSONP, different domains, etc. Do they always fail?