0

I have cordova/phonegap app that is running fine now on iOS, Android and even wp8. I build the app for blackberry10 and was able to run it in simulator. First thing the app does is try to make some remote XHR calls, but these fails. Here are the errors I am seeing in the remote chrome console:

403 (Forbidden)

https://bloblbolob.kjsdghs.dsf Origin local:// is not allowed by Access-Control-Allow-Origin.

XMLHttpRequest cannot load https://sdkjf.jksdj.kdj Origin local:// is not allowed by Access-Control-Allow-Origin.

I have edited the config.xml and manually replaced the access property with this line:

<access subdomains="true" uri="*" />

However, that did not make any difference.

Aras
  • 5,878
  • 9
  • 49
  • 76

3 Answers3

4

The * wildcard is not allowed with XmlHttpRequest (XHR) on BlackBerry 10.

If you intend to use XHR in your BlackBerry 10 app, you must white list the URL as an access element in config.xml.

More information about accessing external resources: https://developer.blackberry.com/html5/documentation/beta/accessing_external_resources_webworks.html

Adam Stanley
  • 1,875
  • 1
  • 15
  • 16
  • 1
    I see. It sounds like we have to finally deal with this in our app and find a way to give explicit access to all of our remote servers. I also found a similar points in cordova 3.2 documentation: http://cordova.apache.org/docs/en/3.2.0/guide_appdev_whitelist_index.md.html#Whitelist%20Guide Thanks again for your answer Adam! – Aras Dec 11 '13 at 18:37
  • **Attention:** The linked page still contains examples using the `uri` attribute, which causes errors when building. According to the comments, it's deprecated anyway. Instead, using the `origin` attribute everywhere worked for me. – Cedric Reichenbach Apr 09 '16 at 10:58
2

There is one possibiblity to bypass your problem. You can completely disable the WebSecurity for your app:

http://cordova.apache.org/docs/en/3.2.0/guide_platforms_blackberry10_config.md.html

<preference name="WebSecurity" value="disable"/>

This has some negative impact, but will solve your problems. I had the same problem, because the backend of my app is hosted in our customers network. This makes it impossible to whitelist the server.

Christian Kuetbach
  • 15,850
  • 5
  • 43
  • 79
  • Funny, Adam and I actually discussed implications of this workaround in another question: http://stackoverflow.com/q/20507930/527559 Where you able to submit your app to blackberry and was your app approved with the web security disabled? – Aras Dec 11 '13 at 22:47
  • 1
    I did not submit my app to the appstore. We stopped the development for BB10 and will bring our android version to the store. This constraint drove me crazy, because I could not imagine, that there is no chance to write an app, which communicates with a custom (and at buildtime unknown) backend-URI. – Christian Kuetbach Dec 11 '13 at 22:50
  • In my applicatiojn (an app built with GWT) is no chance of navigating to another URI or injecting JS, because ther is no evil eval. – Christian Kuetbach Dec 11 '13 at 22:53
  • Exactly! We have the same issue, but as I understand it now, this is a security constraint that is only enforced by BB. Did you consider proxy domains to point to customer domains? That is something we are looking at right now. For example `customer1.ourdomain.com` -> `customer1.com` – Aras Dec 11 '13 at 22:55
  • I think `eval` is a different story, it is part of the CSP security standards which is being used by most platforms that support web apps – Aras Dec 11 '13 at 22:57
  • 1
    No, in fact our application is a client for our companies Enterprise Content Management System. Our customer store all kind of business data in the archive. There is really no chance to get them to the point to tunnel all communication through our server. They have really strict policies against this. – Christian Kuetbach Dec 11 '13 at 22:58
1

In your config.xml add

<access subdomains="true" uri="http://domain.in" /> as this is separate tag for blackberry

PLEASE NOTE : DO NOT ADD * in URI section as Blackberry does not allow “*” wildcard characters there.

Aadil Keshwani
  • 1,385
  • 1
  • 18
  • 29