ERR_CLEARTEXT_NOT_PERMITTED on Android 9, with domain cleartext permitted

Question

On an Android 10 device, I get an ERR_CLEARTEXT_NOT_PERMITTED error in webview on my http server, but only on some pages, and even though I am using network_security_config to allow the domain. I am only able to work around the error by opening up all domains using . How can I fix this so only my domain is permitted, and not receive the error, but without using ?

Logcat:

07:54:09.004 com.myserver.myapp D/myapp: Webview.onPageStarted called on http://myserver.com/myapp/index.php?view=discrete
07:54:09.232 com.myserver.myapp I/myapp: onPageFinished called.
07:54:15.938 com.myserver.myapp D/myapp: Webview.onPageStarted called on http://myserver.com/myapp/index.php?view=about
07:54:15.958 com.myserver.myapp I/myapp: onReceivedError called.
07:54:15.958 com.myserver.myapp I/myapp: Web Load Error:net::ERR_CLEARTEXT_NOT_PERMITTED
07:54:16.012 com.myserver.myapp I/myapp: onPageFinished called.

Network-security-config xml:

<network-security-config>
<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">localhost</domain>
    <domain includeSubdomains="true">myserver.com</domain>
</domain-config>
    <!-- Want to delete this for better security--> 
    <base-config cleartextTrafficPermitted="true"/>
</network-security-config>

Answer 1

Root cause was that the javascript serving third party ad content (Google Ads) did not use https.

Added code to onReceivedError to log the URL that is causing the issue...

public void onReceivedError(WebView view, WebResourceRequest request, WebResourceError error) {
            super.onReceivedError(view, request, error);
            Log.i(TAG, "onReceivedError called for URL "+ request.getUrl().toString());
}