How to access `http` resource from `https` served app?

[mahnunchik]

Yes, I understand that accessing HTTP is insecure. But in exceptional situations, sometimes it's necessary to make such a request.

The question is which is the proper way to access http resource from https served app?

Solution 1

When the app is served from http:

<preference name="scheme" value="http" />
<preference name="hostname" value="localhost" />

It is possible to bypass any restriction by adding the following config:

    <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
      <application android:usesCleartextTraffic="true" />
    </edit-config>

But it seems that this is the least secure method of all.

Solution 2

cordova-plugin-ionic-webview plugin allows to specify:

// MIXED_CONTENT_ALWAYS_ALLOW
<preference name="MixedContentMode" value="0" />

Android documentation: https://developer.android.com/reference/android/webkit/WebSettings#setMixedContentMode(int)

This allows access to any http domains from the application.

Questions

1. Maybe cordova-android implements the ability to set setMixedContentMode setting?
2. Maybe there is some other way to allow access only to selected http domains? To bypass the limitations of both Android itself and WebView.

[mahnunchik]

Related:

• Cannot load non-https content from cordova app cordova-android#1681
• Unable to make any API calls cordova-android#1585
• XHR Request fail with CORS Access-Control-Allow-Origin on Cordova android 10 cordova-android#1354
• https://stackoverflow.com/questions/42119836/how-to-load-third-party-non-secure-images-in-cordova-webview

[mahnunchik]

For some reason, iOS allows any HTTP and HTTPS requests from an application served from the app:// scheme.

[breautek]

I'm moving this to cordova discussions because it doesn't describe a bug, but it is a valid community question that does come up time to time.