Our application serves up images from Cloudinary, the URLs for which are stored in a database. All of these images point to http://res.cloudinary.com. We recently upgraded our project to Cordova 4.0.0 in order to be prepared for the Play Store changes as well as try to resolve some issues for which we do not yet have root causes.
One unexpected problem we ran into is that on iOS, the application no longer honored any requests to http:// URLs. We were loading in a Google font which we easily fixed with an https:// prefix, but the Cloudinary images are a bit more troublesome as the URLs have all been stored in the database with an http:// prefix (we have thousands of these). Our config.xml file has had this line in since the beginning of this project:
<access origin="*" />
This setting apparently has any effect on this issue. After doing some research I wondered if perhaps I could address this issue with a Content Security Policy meta header, but this created all kinds of other issues including some problems within the Kendo framework itself trying to load some kind of internal XSLT file. Something else that doesn't make much sense is that it looks like the 4.0.0 version of Cordova as displayed in AppBuilder is version 3.8.0 for iOS, and on version 3.8.0 the application works just fine. I am wondering if anyone can point me in the right direction. Re-writing the Cloudinary URLs dynamically is not an ideal solution, as the version of our app deployed in the wild is still saving and serving up the http:// version of these URLs.