Allow mixed content on Cordova app’s WebView

Starting with cordova-android@10, your Cordova index.html file will be internally served via https:// protocol instead of the file:// protocol. This introduces the issue that your app can no longer make API calls or load content from the “insecure” http protocol.

To overcome this problem, you need to switch all your http requests to https. If this is not an option, for example on APIs with invalid SSL certificates for Ajax requests, your only option is to force the Cordova WebView to allow http requests as follows.


Open the platforms/android/app/src/main/java/[your-package-name]/ and add this onResume method, with the corresponding import statements.


import android.os.Bundle;
import android.webkit.WebSettings;
import android.webkit.WebView;

import org.apache.cordova.*;

public class MainActivity extends CordovaActivity
    public void onCreate(Bundle savedInstanceState)

        // enable Cordova apps to be started in the background
        Bundle extras = getIntent().getExtras();
        if (extras != null && extras.getBoolean("cdvStartInBackground", false)) {

        // Set by <content src="index.html" /> in config.xml
    public void onResume() {

        // Add the following lines to enable mixed content mode
        if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP) {
            WebView webView = (WebView) appView.getView(); // Change from getEngine() to getView()
            WebSettings settings = webView.getSettings();

The key of this code is to call the setMixedContent method, which configures the WebView’s behavior when a secure origin attempts to load a resource from an insecure origin.

Possible values for setMixedContent

In this mode, the WebView will allow a secure origin to load content from any other origin, even if that origin is insecure. This is the least secure mode of operation for the WebView, and where possible apps should not set this mode. In our code snippet we are using this value because our API endpoint does not provide a valid SSL certificate for the requested subdomain.

In this mode, the WebView will attempt to be compatible with the approach of a modern web browser with regard to mixed content. Some insecure content may be allowed to be loaded by a secure origin and other types of content will be blocked. The types of content are allowed or blocked may change release to release and are not explicitly defined. This mode is intended to be used by apps that are not in control of the content that they render but desire to operate in a reasonably secure environment.

In this mode, the WebView will not allow a secure origin to load content from an insecure origin. This is the preferred and most secure mode of operation for the WebView and apps are strongly advised to use this mode.


The content in this post is for general information purposes only. The information is provided by the author and/or external sources and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose. Some of the content and images used in this post may be copyrighted by their respective owners. The use of such materials is intended to be for educational and informational purposes only, and is not intended to infringe on the copyrights of any individuals or entities. If you believe that any content or images used here violate your copyright, please contact us and we will take appropriate measures to remove or attribute the material in question.