How to add domain allow-listing in ionic capacitor app

iamtarun1993 · June 10, 2021, 9:40am

I’m working on an app and using ionic 5, capacitor 2, and angular 10. for security reasons, I need to add domain white listing.
So I modified config.xml file and changed <access origin="*"/> to <access origin="https://*.something.com" in both android and iOS.

After running the app live on a device using ionic capacitor run android -l --external --configuration=staging I can still load an iframe and access content from “abc.com” or any other domain?

Is domain whitelisting not possible in ionic capacitor?

mhartington · June 10, 2021, 1:57pm

So if you’re using Capacitor, you do not need the config.xml, since that is for cordova. Use the capacitor.config.json and the server.allowNavigation field?

iamtarun1993 · June 10, 2021, 3:12pm

We are using 4 plugins from Cordova, which is generating config.xml file inside android/app/src/main/res/xml

plugins are

    "cordova-plugin-googleplus": "^8.5.0",
    "cordova-plugin-inappbrowser": "^4.0.0",
    "cordova-plugin-screen-orientation": "^3.0.2",
    "cordova-plugin-telerik-imagepicker": "^2.3.5",

and this is XML file

<?xml version='1.0' encoding='utf-8'?>
<widget version="1.0.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
  <access origin="*" />
  
  <feature name="GooglePlus">
    <param name="android-package" value="nl.xservices.plugins.GooglePlus"/>
    <param name="onload" value="true"/>
  </feature>

  <feature name="InAppBrowser">
    <param name="android-package" value="org.apache.cordova.inappbrowser.InAppBrowser"/>
  </feature>

  <feature name="CDVOrientation">
    <param name="android-package" value="cordova.plugins.screenorientation.CDVOrientation"/>
  </feature>

  <feature name="ImagePicker">
    <param name="android-package" value="com.synconset.ImagePicker"/>
  </feature>

  
</widget>

I think because of these 4 plugins this XML file is generated and it is adding <access origin="*" />
After editing this to <access origin="https://*.something.com" and build app can’t see any changes, it still can load any iframe.
@mhartington

mhartington · June 10, 2021, 3:14pm

You can use the plugins, but Capacitor is still the one in charge of loading the app. Make your changes int capacitor.config.

iamtarun1993 · June 10, 2021, 3:18pm

Yes, I already added this inside my capacitor.config.json file and did npx cap sync also

"server": {
    "allowNavigation": [
      "something.com"
    ]
  }

but still, it is allowing me to load iframe from another domain.
@mhartington

Topic		Replies	Views
Domain whitelisting in ionic 5 with capacitor and angular Ionic Angular	1	1261	June 7, 2021
Help with Iframe in Ionic React Ionic React	5	505	April 9, 2024
Capacitor cors question Capacitor	3	767	May 3, 2021
Do Android native calls via Capacitor still use webview? ionic-v3	0	713	June 26, 2019
Host origin of Ionic app Ionic Angular	1	1994	March 25, 2021

How to add domain allow-listing in ionic capacitor app

Related topics