add note about redirects
Project: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/repo Commit: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/commit/0c3b591c Tree: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/tree/0c3b591c Diff: http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/diff/0c3b591c Branch: refs/heads/1.2.x Commit: 0c3b591ce8ee0d0100af4b151ae43e0eabfed7a1 Parents: acee686 Author: Carlos Santana <[email protected]> Authored: Sun Feb 21 11:39:46 2016 -0800 Committer: Carlos Santana <[email protected]> Committed: Sun Feb 21 11:39:46 2016 -0800 ---------------------------------------------------------------------- README.md | 3 +++ 1 file changed, 3 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist/blob/0c3b591c/README.md ---------------------------------------------------------------------- diff --git a/README.md b/README.md index e846991..45d4d14 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,9 @@ In `config.xml`, add `<access>` tags, like this: Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `<access origin="*">` by default. + +Note: Whitelist cannot block network redirects from a whitelisted remote website (i.e. http or https) to a non-whitelisted website. Use CSP rules to mitigate redirects to non-whitelisted websites for webviews that support CSP. + Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly. ### Content Security Policy --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
