How to add domain allow-listing in ionic capacitor app

I’m working on an app and using ionic 5, capacitor 2, and angular 10. for security reasons, I need to add domain white listing.
So I modified config.xml file and changed <access origin="*"/> to <access origin="https://*" in both android and iOS.

After running the app live on a device using ionic capacitor run android -l --external --configuration=staging I can still load an iframe and access content from “” or any other domain?

Is domain whitelisting not possible in ionic capacitor?

So if you’re using Capacitor, you do not need the config.xml, since that is for cordova. Use the capacitor.config.json and the server.allowNavigation field?

We are using 4 plugins from Cordova, which is generating config.xml file inside android/app/src/main/res/xml

plugins are

    "cordova-plugin-googleplus": "^8.5.0",
    "cordova-plugin-inappbrowser": "^4.0.0",
    "cordova-plugin-screen-orientation": "^3.0.2",
    "cordova-plugin-telerik-imagepicker": "^2.3.5",

and this is XML file

<?xml version='1.0' encoding='utf-8'?>
<widget version="1.0.0" xmlns="" xmlns:cdv="">
  <access origin="*" />
  <feature name="GooglePlus">
    <param name="android-package" value="nl.xservices.plugins.GooglePlus"/>
    <param name="onload" value="true"/>

  <feature name="InAppBrowser">
    <param name="android-package" value="org.apache.cordova.inappbrowser.InAppBrowser"/>

  <feature name="CDVOrientation">
    <param name="android-package" value="cordova.plugins.screenorientation.CDVOrientation"/>

  <feature name="ImagePicker">
    <param name="android-package" value="com.synconset.ImagePicker"/>


I think because of these 4 plugins this XML file is generated and it is adding <access origin="*" />
After editing this to <access origin="https://*" and build app can’t see any changes, it still can load any iframe.

You can use the plugins, but Capacitor is still the one in charge of loading the app. Make your changes int capacitor.config.

Yes, I already added this inside my capacitor.config.json file and did npx cap sync also

"server": {
    "allowNavigation": [

but still, it is allowing me to load iframe from another domain.