cordova-plugin-mixed-content-mode v1.0.0-230903
title: Mixed Content Mode
description: Configures Android WebView mixed content mode behavior.
cordova-plugin-Mixed-Content-Mode
At this moment, this plugin is intended only for Android platforms. This plugin permits configuring Android WebView behavior when a secure origin attempts to load a resource from an insecure origin.
Description
In Android and Apache Cordova apps targeting Build.VERSIONCODES._LOLLIPOP (SDK level 21) default not allowed use requests to non-https destinations if you use https schema for your app. The preferred and most secure mode of operation for WebView is never to allow mixed content and always allow mixed content is strongly discouraged. However, there are plenty of legit use cases out there where being more permissive may be necessary.
There are three possible configuration modes: Never allow, Always allow, or Compatibility mode (default mode selected by this plugin).
Never Allow
In this mode, the WebView will not allow a secure origin to load content from an insecure origin. This is the preferred and most secure mode of operation for the WebView and apps are strongly advised to use this mode.
Always Allow
In this mode, the WebView will allow a secure origin to load content from any other origin, even if that origin is insecure. This is the least secure mode of operation for the WebView, and where possible apps should not set this mode.
Compatibility Mode
In this mode, the WebView will attempt to be compatible with the approach of a modern web browser with regard to mixed content. Some insecure content may be allowed to be loaded by a secure origin and other types of content will be blocked. The types of content are allowed or blocked may change from release to release and are not explicitly defined. This mode is intended to be used by apps that are not in control of the content that they render but desire to operate in a reasonably secure environment. This is the default behavior when installing this pluging and not setting another mode.
Installation
Can install via repo URL directly
cordova plugin add https://github.com/carlosbet/cordova-plugin-mixed-content-mode.git
Usage
Through config.xml
MixedContentMode (String, defaults "CompatibilityMode"). The mixed content mode to use. One of "NeverAllow", "AlwaysAllow" or "CompatibilityMode"
<preference name="MixedContentMode" value="CompatibilityMode" />
Through JavaScript
This plugin defines a global MixedContentMode
object.
Although the object is in the global scope, it is not available to applications until after the deviceready
event fires.
document.addEventListener("deviceready", onDeviceReady, false);
function onDeviceReady() {
MixedContentMode.AlwaysAllow();
//MixedContentMode.NeverAllow();
//MixedContentMode.CompatibilityMode();
}
Important notes
From Android 9 PIE (SDK Level 27) devices, clear text communication is disabled by default. To allow clear text communication, yet should set the android:usesCleartextTraffic
attribute on your application config.xml
file:
<platform name="android">
<edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
<application android:usesCleartextTraffic="true" />
</edit-config>
</platform>
Also, it´s necessary to add the XML namespace for Android in the widget tag, if not defined previously:
<widget id="you-app-id" version="1.2.3"
xmlns="http://www.w3.org/ns/widgets"
xmlns:cdv="http://cordova.apache.org/ns/1.0"
xmlns:android="http://schemas.android.com/apk/res/android">
Finally, remember to adjust your Content Security Policy, in case you use that.
8 months ago