In my app the index.html file loaded locally and additional scripts, styles and assets are loaded from
example.com. I have defined the proper CSP in my index.html file and i’m using crosswalk as the browser.
The cordova-whitelist-plugin docs sais about Network Request Whitelist (
<access origin="..." />)
Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).
Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.
Without any tags, only requests to file:// URLs are allowed. However, the default Cordova application includes by default.
After removing the access tag from config.xml I was able to load the index file but the resources loaded from within the browser failed to load with 404 ( i made sure they exist). I was able to load the index file only after I added
So my question is
Leaving aside the intent and navigation filters, is
access white list necessary when CSP is enforced by the webview (crosswalk) ?