Cordova 白名單插件 cordova-plugin-whitelist Android IOS

參考 Cordova 官網
白名單
下載

$ cordova plugin add cordova-plugin-whitelist
$ cordova prepare

支持版本
Android 4.0.0 或以上

Navigation Whitelist
Webview 可容許系統打開的連接，能夠過濾前綴或後綴

<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />

<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />

<!-- Wildcards are allowed for the protocol, as a prefix
     to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />

<!-- Allow SMS links to open messaging app -->
<allow-intent href="sms:*" />

<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />

<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />

<!-- Allow all unrecognized URLs to open installed apps
     *NOT RECOMMENDED 不安全* -->
<allow-intent href="*" />

Intent Whitelist
容許App在瀏覽器可打開的連接

<!-- Allow links to web pages to open in a browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />

<!-- Allow links to example.com to open in a browser -->
<allow-intent href="http://example.com/*" />

<!-- Wildcards are allowed for the protocol, as a prefix
     to the host, or as a suffix to the path -->
<allow-intent href="*://*.example.com/*" />

<!-- Allow SMS links to open messaging app 短信連接應用比較多-->
<allow-intent href="sms:*" />

<!-- Allow tel: links to open the dialer -->
<allow-intent href="tel:*" />

<!-- Allow geo: links to open maps -->
<allow-intent href="geo:*" />

<!-- Allow all unrecognized URLs to open installed apps
     *NOT RECOMMENDED 很是不安全* -->
<allow-intent href="*" />

若是沒有 <allow-intent> 標籤，全部外部url都不能夠訪問。默認已經有不少容許的url了推薦你根據本身的app自行縮小容許跳轉的範圍。

在android上等同於發一個BROWSEABLE intent。
這個白名單對插件不生效只對超連接生效，至關於window.open()。
Network Request Whitelist
控制從哪一個網絡請求資源文件（經過cordova native hooks），已經不推薦使用，沒有CSP安全。爲了webview的歷史遺留功能，不支持CSP（Content Security Policy ）默認配置 <access origin="*">。

<!-- Allow images, xhrs, etc. to google.com -->
<access origin="http://google.com" />
<access origin="https://google.com" />

<!-- Access to the subdomain maps.google.com -->
<access origin="http://maps.google.com" />

<!-- Access to all the subdomains on google.com -->
<access origin="http://*.google.com" />

<!-- Enable requests to content: URLs -->
<access origin="content:///*" />

<!-- Don't block any requests -->
<access origin="*" />

白名單不能阻止遠程網站的重定向到非白名單的網站。用CSP緩解webview重定向到非白名單網站。

安卓也默認容許請求https://ssl.gstatic.com/acces...

CSP （content security policy）
控制資源文件請求地址（直接從webview）
在android ios上 網絡請求上面提到的網絡請求白名單（network request whitelist）不能過濾全部請求（例如video）websocket也沒有被阻止。因此除了白名單之外還應該在全部的頁面應用csp標籤

android 4.4以上支持html csp聲明示例

<!-- Good default declaration:
    * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
    * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
    * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
        * Enable inline JS: add 'unsafe-inline' to default-src
        * Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">

<!-- Allow everything but only from the same origin and foo.com -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">

<!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that 
    * CSS only from the same origin and inline styles,
    * scripts only from the same origin and inline styles, and eval()
-->
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

<!-- Allows XHRs only over HTTPS on the same domain. -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">

<!-- Allow iframe to https://cordova.apache.org/ -->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">

IOS 白名單
ATS
Application Transport Security
Cordova 4.0 以上不要求裝 cordova-plugin-whitelist了，然而在ios裏也有配置<allow-intent> 和 <allow-navigation>。
cordova cli自動把<allow-intent> 和 <allow-navigation> 轉成了合適的ATS：

1. TLS最小版本 （默認TLS v1.2）
2. requires-forward-secrecy (Boolean, 默認'true')
3. requires-certificate-transparency (Boolean, defaults to 'false', iOS 10纔有)

<access origin='https://cordova.apache.org' minimum-tls-version='TLSv1.1' requires-forward-secrecy='false' requires-certificate-transparency='true' />

這部分不是必須的，咱們的項目中是沒有的