参考 Cordova 官网
白名单
下载

$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare

支持版本
Android 4.0.0 或以上

Navigation Whitelist
Webview 可允许系统打开的链接,可以过滤前缀或后缀

<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />

<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />

<!-- Wildcards are allowed for the protocol, as a prefix
     to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />

<!-- Allow SMS links to open messaging app -->
<allow-intent href="sms:*" />

<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />

<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />

<!-- Allow all unrecognized URLs to open installed apps
     *NOT RECOMMENDED 不安全* -->
<allow-intent href="*" />

Intent Whitelist
允许App在浏览器可打开的链接

<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />

<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />

<!-- Wildcards are allowed for the protocol, as a prefix
     to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />

<!-- Allow SMS links to open messaging app 短信链接应用比较多-->
<allow-intent href="sms:*" />

<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />

<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />

<!-- Allow all unrecognized URLs to open installed apps
     *NOT RECOMMENDED 非常不安全* -->
<allow-intent href="*" />

如果没有 <allow-intent> 标签,所有外部url都不可以访问。默认已经有很多允许的url了推荐你根据自己的app自行缩小允许跳转的范围。

在android上等同于发一个BROWSEABLE intent。
这个白名单对插件不生效只对超链接生效,相当于window.open()。
Network Request Whitelist
控制从哪个网络请求资源文件(通过cordova native hooks),已经不推荐使用,没有CSP安全。为了webview的历史遗留功能,不支持CSP(Content Security Policy )默认配置 <access origin="*">。

<!-- Allow images, xhrs, etc. to google.com -->
<access origin="http://google.com" />
<access origin="https://google.com" />

<!-- Access to the subdomain maps.google.com -->
<access origin="http://maps.google.com" />

<!-- Access to all the subdomains on google.com -->
<access origin="http://*.google.com" />

<!-- Enable requests to content: URLs -->
<access origin="content:///*" />

<!-- Don't block any requests -->
<access origin="*" />

白名单不能阻止远程网站的重定向到非白名单的网站。用CSP缓解webview重定向到非白名单网站。

安卓也默认允许请求https://ssl.gstatic.com/acces...

CSP (content security policy)
控制资源文件请求地址(直接从webview)
在android ios上 网络请求上面提到的网络请求白名单(network request whitelist)不能过滤所有请求(例如video)websocket也没有被阻止。所以除了白名单以外还应该在所有的页面应用csp标签

android 4.4以上支持html csp声明示例

<!-- Good default declaration:
    * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
    * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
    * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
        * Enable inline JS: add 'unsafe-inline' to default-src
        * Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">

<!-- Allow everything but only from the same origin and foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">

<!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that 
    * CSS only from the same origin and inline styles,
    * scripts only from the same origin and inline styles, and eval()
-->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

<!-- Allows XHRs only over HTTPS on the same domain. -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">

<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">

IOS 白名单
ATS
Application Transport Security
Cordova 4.0 以上不要求装 cordova-plugin-whitelist了,然而在ios里也有配置<allow-intent> 和 <allow-navigation>。
cordova cli自动把<allow-intent> 和 <allow-navigation> 转成了合适的ATS:

  1. TLS最小版本 (默认TLS v1.2)
  2. requires-forward-secrecy (Boolean, 默认'true')
  3. requires-certificate-transparency (Boolean, defaults to 'false', iOS 10才有)
<access origin='https://cordova.apache.org' minimum-tls-version='TLSv1.1' requires-forward-secrecy='false' requires-certificate-transparency='true' />

这部分不是必须的,我们的项目中是没有的.

白名单不支持Android API10及以下,WP8,Iframe,XMLHTTPRequest。 这意味着攻击者可以在iframe载入任何domain和脚本,能直接拿到cordova的JS对象和相应的原声JAVA对象。在构建项目的时候你应该把这个考虑进去。实践中应该确认Android API高于10,尽量避免用iframe加载外部内容,用 inAppBrowser plugin 或 other third-party plugins。


abbyhan
13 声望1 粉丝

引用和评论

0 条评论