Skip to main content

Whitelisting

Network access control and navigation management for universal apps. All network calls are blocked by default, and all links are considered external by default and will open in the browser. To allow network calls or internal navigation, URLs must be added to the "allowedUrls" configuration.

๐ŸŽฏ URL Pattern Types

Exact Match

Match URLs exactly as specified

https://api.example.com/users

Wildcard Match

Use * to match any characters within URL segments

https://api.example.com/*

Subdomain Match

Match all subdomains of a domain

*.example.com

๐Ÿ“ Manage URLs

๐Ÿ’ป Generated Configuration
{
  "accessControl": {
    "allowedUrls": []
  }
}

Configurationโ€‹

The whitelisting system is configured through the accessControl.allowedUrls array in your app configuration:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.example.com/users",
      "*.example.com",
      "subdomain.*.example.com"
    ]
  }
}

URL Matching Patternsโ€‹

Exact Matchโ€‹

Match specific URLs exactly as they appear:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.example.com/users",
      "https://cdn.example.com/assets/logo.png"
    ]
  }
}

Wildcard Matchโ€‹

Use * to match any characters within a URL segment:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.example.com/*",
      "https://*.example.com/api/v1/*"
    ]
  }
}

Subdomain Matchโ€‹

Match all subdomains of a domain:

{
  "accessControl": {
    "allowedUrls": [
      "*.example.com",
      "subdomain.*.example.com"
    ]
  }
}

Security Benefitsโ€‹

  • Default Deny: All network requests are blocked by default, providing a secure baseline
  • Explicit Allow: Only explicitly whitelisted URLs can be accessed
  • Pattern Flexibility: Support for exact, wildcard, and subdomain matching patterns
  • Navigation Control: External links are automatically handled by the system browser

Use Casesโ€‹

API Endpointsโ€‹

Whitelist specific API endpoints your app needs to access:

{
  "accessControl": {
    "allowedUrls": [
      "https://api.myapp.com/auth/*",
      "https://api.myapp.com/users/*",
      "https://api.myapp.com/data/*"
    ]
  }
}

CDN Resourcesโ€‹

Allow access to content delivery networks:

{
  "accessControl": {
    "allowedUrls": [
      "https://cdn.jsdelivr.net/*",
      "https://unpkg.com/*",
      "*.cloudfront.net"
    ]
  }
}

Third-party Servicesโ€‹

Whitelist external services and APIs:

{
  "accessControl": {
    "allowedUrls": [
      "https://maps.googleapis.com/*",
      "https://api.stripe.com/*",
      "*.analytics.google.com"
    ]
  }
}

Implementation Notesโ€‹

  • URLs are matched against the patterns in the order they appear in the array
  • The first matching pattern allows the request
  • If no patterns match, the request is blocked
  • Subdomain patterns support multiple levels (e.g., *.*.example.com)
  • Wildcard patterns are greedy and match everything within the segment