We have an application that has multiple whitelabel solutions for clients - meaning they are hosted under their own domain.
We have one Cordova app and we want that users can visit all these sites with this app, but I don't want to redeploy everytime we sign a new client.
https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/
Example
To clarify, I would love to have something like a URL that you can point to where it loads everytime on startup the whitelist settings.
http://myexampledomain.com/whitelist.config
<allow-navigation href="*.myexampledomain.com/*" />
<allow-navigation href="*.subdomain.someclientdomain.com/*" />
<allow-navigation href="*.subdomain.someclientdomainb.com/" />
<allow-navigation href="*.subdomain.someclientdomainc.com/" />
...this file would be automatic loaded on startup.
Creating a JS based plugin
If there's not current solution, is it possible to do this safe by creating a (JavaScript based) Cordova plugin? Like manually redirecting when the URL we try to load is outside a whitelist?
This means we would Cordova-whitelist everything and use our own plugin to block out everything outside our own whitelist.
(I am aware this is not safe when our database is compromised, but in that case we have bigger problems in general. Our app is for fun and does not rely on critical functionality)
There is no mechanism for dynamically updating the whitelist of an app once built. This would largely defeat the security of offering a whitelist in the first place.
The security risk for whitelisting everything is extremely high, especially if you are loading sites you don't own. Loading those sites into your app's main frame gives them access to the same Cordova bridge to which your app has access -- which means those pages can use the same plugins installed in your app. (Note: Opening those links in the In App Browser or externally does not share the same risks, since that doesn't provide access to the Cordova bridge.)
Side note: the risk is also high even if you use sites you own: should a MITM attack be successfully executed OR your backend hacked malicious content could be served to the end user.
Without knowing more about how your service works, it's hard to offer much more assistance, but I would suggest building a separate app for each client. You can create scripts that automate (almost) everything so that releasing updates to your clients isn't onerous.
Here are a couple more options from my experience here:
Open the URLs with the InAppBrowser plugin and the '_system' target. This should open the URL in the native browser, with the URL in full view. This seems to be allowed without whitelist adjustments.
window.open(url, '_system', 'location=yes,enableViewportScale=yes');
If you need to stay in your app (and not open the native browser), you could do a hacky work-around where you load a page that you control and trust, and pass it a dynamic URL. On that page you could then have a iframe
whose source is dynamically changed based on the passed in parameters. The app could pass in the desired URL via querystring, then just change the iframe from there.
Obviously it'd be good to limit the URLs that you'll allow there to a list you control.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With