cordova开发日记05 白名单的配置和说明(Whitelist)
Whitelist是cordova为了解决同源策略的方案,配置方法以下:html
官网地址:web
http://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/index.htmlapache
http://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/index.html安全
config.xml access配置
只容许google.com Access to google.com:网络
<access origin="http://google.com" />
只容许google.com的https协议 Access to the secure google.com (https://):app
<access origin="https://google.com" />
二级域名(maps) Access to the subdomain maps.google.com:dom
<access origin="http://maps.google.com" />
全部二级域名 Access to all the subdomains on google.com, for example mail.google.com and docs.google.com:ide
<access origin="http://*.google.com" />
全部域名 Access to all domains, for example, google.com and developer.mozilla.org:字体
<access origin="*" />
config.xml Navigation Whitelist
说明:webview能够跳转至的URLui
<!-- 容许全部到example.com的连接 -->
<!-- Allow links to example.com -->
<allow-navigation href="http://example.com/*" />
<!-- 通配符 -->
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-navigation href="*://*.example.com/*" />
<!-- 通配符(全) *不推荐* -->
<!-- A wildcard can be used to whitelist the entire network,
over HTTP and HTTPS.
*NOT RECOMMENDED* -->
<allow-navigation href="*" />
<!-- 上面的写法与下面3句等价 -->
<!-- The above is equivalent to these three declarations -->
<allow-navigation href="http://*/*" />
<allow-navigation href="https://*/*" />
<allow-navigation href="data:*" />
config.xml Intent Whitelist
说明:系统能够打开的连接
<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />
<!-- Wildcards are allowed for the protocol, as a prefix
to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />
<!-- Allow SMS links to open messaging app -->
<allow-intent href="sms:*" />
<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />
<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />
<!-- Allow all unrecognized URLs to open installed apps
*NOT RECOMMENDED* -->
<allow-intent href="*" />
config.xml Network Request Whitelist
说明:网络请求(如XHR等)白名单
<!-- Allow images, xhrs, etc. to google.com --> <access origin="http://google.com" /> <access origin="https://google.com" /> <!-- Access to the subdomain maps.google.com --> <access origin="http://maps.google.com" /> <!-- Access to all the subdomains on google.com --> <access origin="http://*.google.com" /> <!-- Enable requests to content: URLs --> <access origin="content:///*" /> <!-- Don't block any requests --> <access origin="*" />
index.html Content Security Policy
说明:页面上的资源白名单
主要分这几类:default-src,style-src,script-src,img-src,font-src,media-src 等
参数值能够是:*,'self','unsafe-inline',data: 等
我使用的是很是宽松的策略:
容许全部域名的数据,容许不安全的内联,容许data:(主要用于BASE64形式的图片,字体等)
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline';img-src * 'self' data:;font-src 'self' data:">
下面是官方示例:
<!-- Good default declaration:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
<!-- Allow everything but only from the same origin and foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
<!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that
* CSS only from the same origin and inline styles,
* scripts only from the same origin and inline styles, and eval()
-->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<!-- Allows XHRs only over HTTPS on the same domain. -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">
相关文章
- 1. Cordova 白名单插件 cordova-plugin-whitelist Android IOS
- 2. luajit日记-配置说明
- 3. Mycat防火墙配置:IP白名单和 SQL黑名单说明
- 4. cordova 5.0 白名单
- 5. 全本软件白名单 Quanben Software Whitelist
- 6. cordova开发日记01:环境部署
- 7. Spring-boot简单日志配置说明
- 8. cordova开发日记02:navigation.app和event
- 9. webpack4 的开发环境配置说明
- 10. Jenkins日程配置说明
- 更多相关文章...
- • Eclipse 窗口说明 - Eclipse 教程
- • hibernate.cfg.xml和C3P0连接池的配置 - Hibernate教程
- • PHP开发工具
- • IntelliJ IDEA 代码格式化配置和快捷键
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 融合阿里云,牛客助您找到心仪好工作
- 2. 解决jdbc(jdbctemplate)在测试类时不报错在TomCatb部署后报错
- 3. 解决PyCharm GoLand IntelliJ 等 JetBrains 系列 IDE无法输入中文
- 4. vue+ant design中关于图片请求不显示的问题。
- 5. insufficient memory && Native memory allocation (malloc) failed
- 6. 解决IDEA用Maven创建的Web工程不能创建Java Class文件的问题
- 7. [已解决] Error: Cannot download ‘https://start.spring.io/starter.zip?
- 8. 在idea让java文件夹正常使用
- 9. Eclipse启动提示“subversive connector discovery”
- 10. 帅某-技巧-快速转帖博主文章(article_content)
欢迎关注本站公众号,获取更多信息
