Accessing external resources
Allowing access to external resources and APIs
By default, BlackBerry WebWorks apps cannot access data from external resources. For example, a BlackBerry WebWorks app cannot retrieve an HTML web page or make an AJAX request to a web service, unless you configure the app to allow access.
To allow access to external resources and BlackBerry WebWorks APIs, you must specify permissions in config.xml for the app, the resources, and the APIs that you require. You can define the list of domains that your app is allowed to access and the BlackBerry WebWorks APIs that are allowed for each domain. You can define this list using app permissions.
The BlackBerry WebWorks Packager follows the same origin policy for the resources that the app requests by matching the resources to entries in the permissions list.
- Use the same precautions that you would use for a hosted web site, to protect against users with malicious intent.
- Protect your communication channel by using HTTPS when you expose sensitive APIs to the domain.
In the following example, we use the access element to specify that the site is accessed only over HTTPS to the specified APIs:
<access uri="https://somedomain.com" subdomains="true"> <feature id="blackberry.app" version="188.8.131.52" required="true"/> <feature id="blackberry.invoke" version="184.108.40.206" required="true"/> </access>
Allowing requests to any web site
If your app is designed to access data from an unknown domain or a changing domain, you can use the access element with the wildcard character (*) to make sure that your requests are not blocked. For example:
<access uri ="*"/>
The wildcard character (*) cannot be used for data accessed by XMLHttpRequest. To access data using the XMLHttpRequest, you must explicitly specify each domain.
When you use the wildcard character (*), web pages that your app accesses cannot access any of the app APIs.
In the example above, all requests that do not access content via XHR and that do not require access to app APIs are allowed:
Allowing requests to specific web sites
You must explicitly specify each domain. You cannot use a wildcard (*) character to whitelist domains.
For example, if you want to update or change menu items from a domain, you must specify the domain and the APIs that you require.
<access uri ="mydomain" subdomains="true"> <feature id=". . ." /> <feature id=". . ." /> </access>
Last modified: 2014-03-10