In my app the index.html file loaded locally and additional scripts, styles and assets are loaded from example.com. I have defined the proper CSP in my index.html file and i’m using crosswalk as the browser.

The cordova-whitelist-plugin docs sais about Network Request Whitelist (<access origin="..." />)

Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks).

Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP.

Without any tags, only requests to file:// URLs are allowed. However, the default Cordova application includes by default.

After removing the access tag from config.xml I was able to load the index file but the resources loaded from within the browser failed to load with 404 ( i made sure they exist). I was able to load the index file only after I added <access origin="example.com"/>.

So my question is

Leaving aside the intent and navigation filters, is access white list necessary when CSP is enforced by the webview (crosswalk) ?