Skip to main content

Whitelisting

Network access control and navigation management for universal apps. Control URL access through the access control toggle and allowedUrls configuration.

๐ŸŽฏ URL Pattern Types

Exact Match

Match URLs exactly as specified

https://api.example.com/users

Wildcard Match

Use * to match any characters within URL segments

https://api.example.com/*

Subdomain Match

Match all subdomains of a domain

*.example.com

๐Ÿ“ Manage URLs

๐Ÿ’ป Generated Configuration
{
  "accessControl": {
    "allowedUrls": []
  }
}

Configurationโ€‹

The whitelisting system is configured through the WEBVIEW_CONFIG.accessControl object:

{
  "WEBVIEW_CONFIG": {
    "accessControl": {
      "enabled": true,
      "allowedUrls": [
        "https://api.example.com/users",
        "*.example.com",
        "subdomain.*.example.com"
      ]
    }
  }
}

Access Control Toggleโ€‹

Control URL access restrictions through the accessControl.enabled setting.

Propertiesโ€‹

enabledโ€‹

  • Type: Boolean
  • Default: false
  • Description: Enables or disables access control whitelisting
  • Behavior:
    • true: Only URLs in allowedUrls array can be accessed (default deny)
    • false: All URLs are accessible (no restrictions)

allowedUrlsโ€‹

  • Type: Array of strings
  • Default: []
  • Description: List of URLs that are permitted when access control is enabled
  • Format: Supports exact URLs, wildcard patterns, and subdomain matching

Whitelisting Behaviorโ€‹

All network calls are blocked by default when access control is enabled, and all links are considered external by default and will open in the browser. To allow network calls or internal navigation, URLs must be added to the "allowedUrls" configuration.

URL Matching Patternsโ€‹

Exact Matchโ€‹

Match specific URLs exactly as they appear:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.example.com/users",
      "https://cdn.example.com/assets/logo.png"
    ]
  }
}

Wildcard Matchโ€‹

Use * to match any characters within a URL segment:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.example.com/*",
      "https://*.example.com/api/v1/*"
    ]
  }
}

Subdomain Matchโ€‹

Match all subdomains of a domain:

{
  "accessControl": {
    "allowedUrls": [
      "*.example.com",
      "subdomain.*.example.com"
    ]
  }
}

Security Benefitsโ€‹

  • Default Deny: All network requests are blocked by default, providing a secure baseline
  • Explicit Allow: Only explicitly whitelisted URLs can be accessed
  • Pattern Flexibility: Support for exact, wildcard, and subdomain matching patterns
  • Navigation Control: External links are automatically handled by the system browser

Use Casesโ€‹

API Endpointsโ€‹

Whitelist specific API endpoints your app needs to access:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.myapp.com/auth/*",
      "https://api.myapp.com/users/*",
      "https://api.myapp.com/data/*"
    ]
  }
}

CDN Resourcesโ€‹

Allow access to content delivery networks:

{
  "accessControl": {
    "allowedUrls": [
      "https://cdn.jsdelivr.net/*",
      "https://unpkg.com/*",
      "*.cloudfront.net"
    ]
  }
}

Third-party Servicesโ€‹

Whitelist external services and APIs:

{
  "accessControl": {
    "allowedUrls": [
      "https://maps.googleapis.com/*",
      "https://api.stripe.com/*",
      "*.analytics.google.com"
    ]
  }
}

Implementation Notesโ€‹

  • URLs are matched against the patterns in the order they appear in the array
  • The first matching pattern allows the request
  • If no patterns match, the request is blocked
  • Subdomain patterns support multiple levels (e.g., *.*.example.com)
  • Wildcard patterns are greedy and match everything within the segment