Cordova can not access to AJAX


i'm using Browser platform of Cordova, also i'm using cordova-plugin-whitelist and Content-Security-Policy tag into my html codes. but i get below error in console:

JQMIGRATE: Migrate is installed, version 3.0.0 
adding proxy for Device 
SEC7118: XMLHttpRequest for required Cross Origin Resource Sharing (CORS). 
SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header. 
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

here is my config.xml:

<?xml version='1.0' encoding='utf-8'?>
<widget id="io.cordova.hellocordova" version="1.0.0" xmlns="" xmlns:cdv="">
        A sample Apache Cordova application that responds to the deviceready event.
    <author email="" href="">
        Apache Cordova Team
    <content src="index.html" />
    <access origin="*" />
    <allow-navigation href="*" />
    <allow-navigation href="*" />
    <allow-navigation href="http://*/*" />
    <allow-navigation href="https://*/*" />
    <allow-navigation href="data:*" />
    <allow-intent href="*" />
    <allow-intent href="*" />
    <plugin name="cordova-plugin-x-toast" spec="^2.7.2" />
    <plugin name="cordova-plugin-dialogs" spec="^2.0.1" />
    <plugin name="cordova-plugin-nativestorage" spec="^2.3.2" />
    <plugin name="cordova-plugin-device" spec="^2.0.2" />
    <plugin name="cordova-plugin-whitelist" spec="^1.3.3" />
    <engine name="browser" spec="^5.0.4" />
    <engine name="android" spec="^7.1.4" />
    <engine name="ios" spec="^4.5.5" />

and here is the meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

and here is my ajax request:


how can i fix it?

asked on Stack Overflow Feb 25, 2019 by saleh

1 Answer


My meta CSP is

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; connect-src *;">

And i can normally connect to my endpoints, maybe try to remove the /* in

<allow-navigation href="" />

I've just seen this

SEC7120: Origin http://localhost:8000 not found in Access-Control-Allow-Origin header.

You need to enable CORS on the server ( Check out this site:

All you need to do is add an HTTP header to the server:

Access-Control-Allow-Origin: http://localhost:8000 Or, for simplicity:

Access-Control-Allow-Origin: *

answered on Stack Overflow Feb 25, 2019 by nano • edited Feb 25, 2019 by nano

User contributions licensed under CC BY-SA 3.0