How to access http resource from https served app?

[mahnunchik]

Yes, I understand that accessing HTTP is insecure. But in exceptional situations, sometimes it's necessary to make such a request.

The question is which is the proper way to access http resource from https served app?

Solution 1

When the app is served from http:

<preference name="scheme" value="http" />
<preference name="hostname" value="localhost" />

It is possible to bypass any restriction by adding the following config:

    <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
      <application android:usesCleartextTraffic="true" />
    </edit-config>

But it seems that this is the least secure method of all.

Solution 2

cordova-plugin-ionic-webview plugin allows to specify:

// MIXED_CONTENT_ALWAYS_ALLOW
<preference name="MixedContentMode" value="0" />

Android documentation: https://developer.android.com/reference/android/webkit/WebSettings#setMixedContentMode(int)

This allows access to any http domains from the application.

Questions

1. Maybe cordova-android implements the ability to set setMixedContentMode setting?
2. Maybe there is some other way to allow access only to selected http domains? To bypass the limitations of both Android itself and WebView.

[mahnunchik]

Related:

• Cannot load non-https content from cordova app cordova-android#1681
• Unable to make any API calls cordova-android#1585
• XHR Request fail with CORS Access-Control-Allow-Origin on Cordova android 10 cordova-android#1354
• https://stackoverflow.com/questions/42119836/how-to-load-third-party-non-secure-images-in-cordova-webview

[mahnunchik]

For some reason, iOS allows any HTTP and HTTPS requests from an application served from the app:// scheme.

[breautek]

There are two network stacks at play: 1) Native network stack, and 2) The webview network stack.

The webview network stack does use the native network stack, so policies that apply to the native network stack also applies to webview networking. However the webview network stack may apply additional policies that affects the behaviour of the web app.

By default android blocks plaintext (insecure) network traffic at the native network stack level. Webview may have additional policies, like blocking network insecure traffic when the document origin is https. So there might be multiple configurations required to allow non-secure traffic.

Native Network Stack

To address the native stack, you don't need to broadly allow plaintext traffic, you can use a network policy to isolate it to a specific domain.

So instead of:

<!-- config.xml -->
<edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
    <application android:usesCleartextTraffic="true" />
</edit-config>

You can do this instead:

<!-- config.xml -->
<edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
    <application android:networkSecurityConfig="@xml/network_security_config"
</edit-config>

This points android to a network_security_config.xml file, which we haven't created yet.

<!-- network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">secure.example.com</domain>
    </domain-config>
</network-security-config>

And then finally, we can add another line inside config.xml to prepare the file into it's proper place in the native project:

<!-- config.xml -->
<resource-file src="network_security_config.xml" target="res/xml/network_security_config.xml" />

More information on the android's security config can read at https://developer.android.com/privacy-and-security/security-config

Webview network stack

Adjusting the native network policies might not be enough. By default android apps are hosted through WebViewAssetLoader and is configured on the https:// scheme. Loading non-https content on https documents is usually blocked by the webview.

Therefore the following might be necessary:

<!-- config.xml -->
<preference name="scheme" value="http" />

Which will turn the hosted container into a http:// application. While it's on plaintext protocol, it's still secure in the sense that it's not truly communicating over the network stack (implementation details of WebViewAssetLoader) but the webview will treat the document as an insecure context and may disable features that are normally only enabled while on https.