Specifies the network resources that the application can access. Use this element to specify cross-domain URIs which your application requires but which are not local.


<access origin="string" subdomains=["true" | "false"] />


The <access> element specifies that a Cordova app can access external network resources. By default, if you do not specify an <access> element, an app has access to local resources only. Local resources include all resources packaged in the app's .bar file.

When you specify more than one <access> element, the most specific definition is used. For example, if you use http://somedomain.com and http://specific.somedomain.com, the <access> element that uses the first definition (and any features defined under it) is ignored.

As a good practice, use HTTPS to expose sensitive APIs and to protect your communication channel. For more information about whitelisting, see the Whitelist Guide in the Cordova Documentation.


Zero or more.

Parent elements:


Child elements:





You can define the following attributes for this element:

Attribute Description

Optional. The origin attribute defines the web address for the access request.

For domains that access data through XMLHttpRequest, explicitly specify the domain for the origin attribute. For domains that don't access content through XMLHttpRequest, you can specify a wildcard (*) for the origin attribute to whitelist any domain.

uri Deprecated. Instead, use the origin attribute. The uri attribute defines the web address for the access request. This attribute is supported only for backwards compatibility.

Optional. The subdomains attribute is a Boolean value that specifies whether the host component in the access request applies to subdomains of the domain specified by the origin attribute.

By default, if you don't specify the value of the subdomains attribute, the value is set to false and no access to subdomains is requested.


The following example shows how to white-list an external resource, in this case, the domain somedomain, as well as any subdomains it might have.
<access origin="https://somedomain.com" subdomains="true"/>
The following example shows how to white-list a URI to mountpoint named SDCard:
<access subdomains="true" origin="file:///SDCard" />