Whitelisting URLs - Access Origin

Higher Security for Your App

If you want to control which URLs your app can access, you can use the "Whitelist URLs (more secure)" option in the app builder. When you chose this option, the only URL that your app will be able to access is myapppresser.com unless you specifically add each URL you wish to allow. This option provides a higher level of security for your app by denying access to all other URLs that you do not list in what is called  whitelisting.

Whitelisting

When you white list a URL, you are granting permission for your app to access that specific URL. Once you enable this feature, all other unlisted URLs are blocked.

Recommended Whitelist URLs

When you restrict access to all URLs, you need to specify which allowed URLs your app needs in order to load external pages, images, styles, fonts, external services like Google Analytics, Google Fonts, embedded videos, and all other external resources. 

Two Types of Whitelist Rules

When you write your whitelist rules you need to consider two types of rules: access and navigation.

  1. Access refers to content your pages need to access like images, fonts, styles, other external content.
    <access origin="https://your-wordpress-site.com" subdomains="true"/>
  2. Navigation refers to URLs where your pages load. Used to load a page or do an AJAX call into your WordPress site
    <allow-navigation href="https://your-wordpress-site.com" />

Here is a list of common URLs that you will need to consider:

Common Resources URL Whitelist config
MyAppPresser https://myapppresser.com Already added
Your WordPress URL https://your-wordpress-site.com <access origin="https://your-wordpress-site.com" subdomains="true"/>
<allow navigation="https://your-wordpress-site.com" />
WordPress Icons
Gravatar User Icons
https://s.w.org
http://0.gravatar.com
https://0.gravatar.com
<access origin="https://s.w.org" subdomains="true"/>
<access origin="*://gravatar.com" subdomains="true"/>
Google Analytics
Google Fonts
https://google.com
https://fonts.google.com
<access origin="https://google.com" subdomains="true"/>
Google Maps
Google Charts
https://maps.googleapis.com
https://chart.googleapis.com
<access origin="https://googleapis.com" subdomains="true"/>
Amazon AWS http://s3.amazonaws.com
https://s3.amazonaws.com
<access origin="http://s3.amazonaws.com"subdomains="true"/>
YouTube https://youtube.com <access origin="https://youtube.com" subdomains="true"/>
Twitter
Twitter Images
https://twitter.com
https://twimg.com
<access origin="https://twitter.com" subdomains="true"/>
<access origin="https://twimg.com" subdomains="true"/>
Does your WordPress site use a content delivery network (CDN)? https://cloudflare.com
https://cloudfront.net
<access origin="*://cloudflare.com" subdomains="true"/>
<access origin="*://cloudfront.com" subdomains="true"/>

Phonegap Config.xml Custom Code

To create your whitelist, add your configs to the custom config.xml field in the app builder.

<!-- Pages/AJAX: pages, API lists, logins -->
<allow-navigation="http://your-wordpress-site.com" />

<!-- Files: images, JavaScript, stylesheets, fonts, videos, etc. -->
<access origin="http://your-wordpress-site.com" subdomains="true"/>
<access origin="https://s.w.org" subdomains="true"/>
<access origin="*://gravatar.com" subdomains="true"/>
<access origin="https://google.com" subdomains="true"/>
<access origin="https://googleapis.com" subdomains="true"/>
<access origin="http://s3.amazonaws.com" subdomains="true"/>
<access origin="https://youtube.com" subdomains="true"/> 
<access origin="https://twitter.com" subdomains="true"/>
<access origin="https://twimg.com" subdomains="true"/>
<access origin="*://cloudflare.com" subdomains="true"/> 
<access origin="*://cloudfront.com" subdomains="true"/>

Further reading Whitelist - Apache Cordova