mahnunchik opened a new issue, #1742:
URL: https://github.com/apache/cordova-android/issues/1742
> Yes, I understand that accessing HTTP is insecure. But in exceptional
situations, sometimes it's necessary to make such a request.
The question is which is the proper way to access `http` resource from
`https` served app?
### Solution 1
When the app is served from `http`:
```
<preference name="scheme" value="http" />
<preference name="hostname" value="localhost" />
```
It is possible to bypass any restriction by adding the following config:
```
<edit-config file="app/src/main/AndroidManifest.xml" mode="merge"
target="/manifest/application">
<application android:usesCleartextTraffic="true" />
</edit-config>
```
But it seems that this is the least secure method of all.
### Solution 2
[`cordova-plugin-ionic-webview`](https://github.com/ionic-team/cordova-plugin-ionic-webview)
plugin allows to specify:
```
// MIXED_CONTENT_ALWAYS_ALLOW
<preference name="MixedContentMode" value="0" />
```
Android documentation:
https://developer.android.com/reference/android/webkit/WebSettings#setMixedContentMode(int)
This allows access to any `http` domains from the application.
### Questions
1. Maybe `cordova-android` implements the ability to set
`setMixedContentMode` setting?
2. Maybe there is some other way to allow access only to selected http
domains? To bypass the limitations of both Android itself and WebView.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
