In Cordova, we used to allow all xhr requests outgoing from the native app shell to any website.
Apparently, there is a vulnerability on Android that in some circumstances can trick the user into opening another app and leaking some data to it.
To mitigate this, Android and Google tell developers to ban outgoing requests to any website and then whitelist what application can access and what can be opened in an external app (like phonebook opening tel:, mail app opening mailto:, dropbox opening your
https://dropbox.com/ urls, etc).
In Meteor Cordova there is a change that bans all urls by defaults. Whitelists things like tel:, map:, mailto:, and the app's server URL (we know it since we require it on build). And provides the following API for adding new url schemes to the whitelist:
You would add this config to your mobile-config.js file (that acts like a control file in Meteor Cordova).
I am open to your thoughts on this API.
Here is the full doc:
/**
* @summary Set a new access rule based on origin domain for your app.
* By default your application has a limited list of servers it can contact.
* Use this method to extend this list.
*
* Default access rules:
*
* - `tel:*`, `geo:*`, `mailto:*`, `sms:*`, `market:*` are allowed and
* launch externally (phone app, or an email client on Android)
* - `gap:*`, `cdv:*`, `file:` are allowed (protocols required to access
* local file-system)
* app's assets)
* - The domain of the server passed to the build process (or local ip
* address in the development mode) is used to be able to contact the
* Meteor app server.
*
* Read more about domain patterns in [Cordova
*
* Starting with Meteor 1.0.4 access rule for all domains and protocols
* (`<access origin="*"/>`) is no longer set by default due to
* [certain kind of possible
*
* @param {String} domainRule The pattern defining affected domains or URLs.
* @param {Object} [options]
* @param {Boolean} options.launchExternal Set to true if the matching URL
* should be handled externally (e.g. phone app or email client on Android).
* @memberOf App
*/
Slava