介绍
这个插件在Cordova 4.0以后实现了一个白名单政策用于导航到应用程序的webview上
安装插件
自动安装
详情
导航白名单Navigation Whitelist
控制URL WebView本身可以导航到。只适用于顶级水平导航。
特性:Android也适用于非HTTP(S)方案到iframes。
默认情况下,导航只是到 file:// URLs,是允许的。允许到其他URLs,你必须添加<allow-navigation>标签到你的config.xml:
<!-- Allow links to example.com -->
<allow-navigation href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-navigation href="*://*.example.com/*" />
<!-- A wildcard can be used to whitelist the entire network,
over HTTP and HTTPS.
*NOT RECOMMENDED* -->
<allow-navigation href="*" />
<!-- The above is equivalent to these three declarations -->
<allow-navigation href="http://*/*" />
<allow-navigation href="https://*/*" />
<allow-navigation href="data:*" />
意图白名单Intent Whitelist
控制URL的应用程序允许要求系统打开。默认情况下,没有外部链接是允许的。
在Android上,这等同于发送BROWSEABLE类型的意图。
这个白名单不适用于插件,只有超链接和调用window.open()
进入config.xml,添加<allow-intent>标签,这样:
<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />
<!-- Allow SMS links to open messaging app -->
<allow-intent href="sms:*" />
<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />
<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />
<!-- Allow all unrecognized URLs to open installed apps
*NOT RECOMMENDED* -->
<allow-intent href="*" />
网络请求白名单Network Request Whitelist
控制网络请求(图片,XHRs,等)是允许(通过cordova本地挂载)。
注意:我们建议您使用一个内容安全政策(见下文),这是更安全。这个名单是历史做不支持CSP。
进入config.xml,添加<access>标签,像这样:
<!-- Allow images, xhrs, etc. to google.com -->
<access origin="http://google.com" />
<access origin="https://google.com" />
<!-- Access to the subdomain maps.google.com -->
<access origin="http://maps.google.com" />
<!-- Access to all the subdomains on google.com -->
<access origin="http://*.google.com" />
<!-- Enable requests to content: URLs -->
<access origin="content:///*" />
<!-- Don't block any requests -->
<access origin="*" />
没有任何<access>标签,只请求file://URL是允许的。然而,Cordova应用默认情况下包括<access origin="*">
注:白名单不能阻止网络重定向从内远程网站(如HTTP或HTTPS)到非白名单的网站。webviews支持CSP,使用CSP规则减少重定向到非白名单的网站。(CSP:Content Security Policy)
特性:Android还默认允许请求https://ssl.gstatic.com/accessibility/javascript/android/,因为这是对讲功能要求。
内容安全策略Content Security Policy
控制网络请求(图片,XHRs,等)是允许(通过WebView直接)。
在Android和iOS,网络请求的白名单(见上图)是不能够过滤所有类型的请求(例如<video>和WebSockets没有堵塞)。所以,除了白名单,你应该使用一个Content Security Policy内容安全策略<meta>标签贴在所有页面上
在Android系统上,支持CSP在系统的webview中启动KitKat(但是可在所有版本使用Crosswalk WebView)。
这里有你的一些例子CSP声明到你的HTML网页
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
<!-- Allow everything but only from the same origin and foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
<!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that
* CSS only from the same origin and inline styles,
* scripts only from the same origin and inline styles, and eval()
-->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allows XHRs only over HTTPS on the same domain. -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">