参考 Cordova 官网
白名单
下载
$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare支持版本
Android 4.0.0 或以上
Navigation Whitelist
Webview 可允许系统打开的链接,可以过滤前缀或后缀
<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />
<!-- Allow SMS links to open messaging app -->
<allow-intent href="sms:*" />
<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />
<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />
<!-- Allow all unrecognized URLs to open installed apps
*NOT RECOMMENDED 不安全 * -->
<allow-intent href="*" />Intent Whitelist
允许 App 在浏览器可打开的链接
<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />
<!-- Allow SMS links to open messaging app 短信链接应用比较多 -->
<allow-intent href="sms:*" />
<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />
<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />
<!-- Allow all unrecognized URLs to open installed apps
*NOT RECOMMENDED 非常不安全 * -->
<allow-intent href="*" />如果没有 <allow-intent> 标签,所有外部 url 都不可以访问。默认已经有很多允许的 url 了推荐你根据自己的 app 自行缩小允许跳转的范围。
在 android 上等同于发一个 BROWSEABLE intent。
这个白名单对插件不生效只对超链接生效,相当于 window.open()。
Network Request Whitelist
控制从哪个网络请求资源文件(通过 cordova native hooks),已经不推荐使用,没有 CSP 安全。为了 webview 的历史遗留功能,不支持 CSP(Content Security Policy)默认配置 <access origin=”*”>。
<!-- Allow images, xhrs, etc. to google.com -->
<access origin="http://google.com" />
<access origin="https://google.com" />
<!-- Access to the subdomain maps.google.com -->
<access origin="http://maps.google.com" />
<!-- Access to all the subdomains on google.com -->
<access origin="http://*.google.com" />
<!-- Enable requests to content: URLs -->
<access origin="content:///*" />
<!-- Don't block any requests -->
<access origin="*" />白名单不能阻止远程网站的重定向到非白名单的网站。用 CSP 缓解 webview 重定向到非白名单网站。
安卓也默认允许请求 https://ssl.gstatic.com/acces…
CSP(content security policy)
控制资源文件请求地址(直接从 webview)
在 android ios 上 网络请求上面提到的网络请求白名单(network request whitelist)不能过滤所有请求(例如 video)websocket 也没有被阻止。所以除了白名单以外还应该在所有的页面应用 csp 标签
android 4.4 以上支持 html csp 声明示例
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src'self'data: gap: https://ssl.gstatic.com; style-src'self''unsafe-inline'; media-src *">
<!-- Allow everything but only from the same origin and foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src'self'foo.com">
<!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that
* CSS only from the same origin and inline styles,
* scripts only from the same origin and inline styles, and eval()
-->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src'self''unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allows XHRs only over HTTPS on the same domain. -->
<meta http-equiv="Content-Security-Policy" content="default-src'self'https:">
<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src'self'; frame-src'self'https://cordova.apache.org">