There is a default policy, which is implemented in the case where no plugins override any of the whitelist methods:
* Error URLs must start with file://
* Navigation is allowed to file:// and data: URLs which do not contain "app_webview"
* External URLs do not launch intents
* XHRs are allowed to file:// and data: URLs which do not contain "app_webview"