Allow mixed content on Cordova app’s WebView

Starting with cordova-android@10, your Cordova index.html file will be internally served via https:// protocol instead of the file:// protocol. This introduces the issue that your app can no longer make API calls or load content from the “insecure” http protocol.

Apache Cordova logo phonegap

Any AJAX request to http URLs will throw a net::ERR_CLEARTEXT_NOT_PERMITTED or net::ERR_CONNECTION_REFUSED javascript error.

To overcome this problem, you need to switch all your http requests to https. If this is not an option, for example on APIs with invalid SSL certificates for Ajax requests, your only option is to force the Cordova WebView to allow http requests as follows.

Edit MainActivity.java

Open the platforms/android/app/src/main/java/[your-package-name]/MainActivity.java and add this onResume method, with the corresponding import statements.

package andreszsogon.test.app;

import android.os.Bundle;
import android.webkit.WebSettings;
import android.webkit.WebView;

import org.apache.cordova.*;

public class MainActivity extends CordovaActivity
{
    @Override
    public void onCreate(Bundle savedInstanceState)
    {
        super.onCreate(savedInstanceState);

        // enable Cordova apps to be started in the background
        Bundle extras = getIntent().getExtras();
        if (extras != null && extras.getBoolean("cdvStartInBackground", false)) {
            moveTaskToBack(true);
        }

        // Set by <content src="index.html" /> in config.xml
        loadUrl(launchUrl);
    }
  
    @Override
    public void onResume() {
        super.onResume();

        // Add the following lines to enable mixed content mode
        if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP) {
            WebView webView = (WebView) appView.getView(); // Change from getEngine() to getView()
            WebSettings settings = webView.getSettings();
            settings.setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW);
        }
    }
}

The key of this code is to call the setMixedContent method, which configures the WebView’s behavior when a secure origin attempts to load a resource from an insecure origin.

Possible values for setMixedContent

Edit AndroidManifest.xml

Open your AndroidManifest.xml file and add android:usesCleartextTraffic="true" in your <application> element.

For a safer approach where you only whitelist a certain domain or subdomain, use android:networkSecurityConfig="@xml/network_security_config" and create a network_security_config.xml file as explained here.

Clean and rebuild app

Run the cordova clean and cordova build CLI commands to update and recompile your Cordova app. Your AJAX requests to http endpoints should work normally.

Disclaimer

The content in this post is for general information purposes only. The information is provided by the author and/or external sources and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose. Some of the content and images used in this post may be copyrighted by their respective owners. The use of such materials is intended to be for educational and informational purposes only, and is not intended to infringe on the copyrights of any individuals or entities. If you believe that any content or images used here violate your copyright, please contact us and we will take appropriate measures to remove or attribute the material in question.