Whitelist是cordova为了解决同源策略的方案,配置方法如下:官网地址:http://cordova.apache.org/docs/en/latest/guide/appdev/white
Whitelist是cordova为了解决同源策略的方案,配置方法如下:
官网地址:
http://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/index.html
http://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/index.html
config.xml access配置
只允许google.comAccess to google.com:
<access origin="http://google.com" />只允许google.com的https协议Access to the secure google.com (https://):
<access origin="https://google.com" />二级域名(maps)Access to the subdomain maps.google.com:
<access origin="http://maps.google.com" />所有二级域名Access to all the subdomains on google.com, for example mail.google.com and docs.google.com:
<access origin="http://*.google.com" />所有域名Access to all domains, for example, google.com and developer.mozilla.org:
<access origin="*" />config.xml Navigation Whitelist
说明:webview可以跳转至的URL
<!-- 允许所有到example.com的链接 --><!-- Allow links to example.com --><allow-navigation href="http://example.com/*" /><!-- 通配符 --><!-- Wildcards are allowed for the protocol, as a prefix to the host, or as a suffix to the path --><allow-navigation href="*://*.example.com/*" /><!-- 通配符(全) *不推荐* --><!-- A wildcard can be used to whitelist the entire network, over HTTP and HTTPS. *NOT RECOMMENDED* --><allow-navigation href="*" /><!-- 上面的写法与下面3句等价 --><!-- The above is equivalent to these three declarations --><allow-navigation href="http://*/*" /><allow-navigation href="https://*/*" /><allow-navigation href="data:*" />config.xml Intent Whitelist
说明:系统可以打开的链接
<!-- Allow links to web pages to open in a browser --><allow-intent href="http://*/*" /><allow-intent href="https://*/*" /><!-- Allow links to example.com to open in a browser --><allow-intent href="http://example.com/*" /><!-- Wildcards are allowed for the protocol, as a prefix to the host, or as a suffix to the path --><allow-intent href="*://*.example.com/*" /><!-- Allow SMS links to open messaging app --><allow-intent href="sms:*" /><!-- Allow tel: links to open the dialer --><allow-intent href="tel:*" /><!-- Allow geo: links to open maps --><allow-intent href="geo:*" /><!-- Allow all unrecognized URLs to open installed apps *NOT RECOMMENDED* --><allow-intent href="*" />config.xml Network Request Whitelist
说明:网络请求(如XHR等)白名单
<!-- Allow images, xhrs, etc. to google.com --><access origin="http://google.com" /><access origin="https://google.com" /><!-- Access to the subdomain maps.google.com --><access origin="http://maps.google.com" /><!-- Access to all the subdomains on google.com --><access origin="http://*.google.com" /><!-- Enable requests to content: URLs --><access origin="content:///*" /><!-- Don't block any requests --><access origin="*" />index.html Content Security Policy
说明:页面上的资源白名单
主要分这几类:default-src,style-src,script-src,img-src,font-src,media-src 等
参数值可以是:*,'self','unsafe-inline',data: 等
我使用的是非常宽松的策略:
允许所有域名的数据,允许不安全的内联,允许data:(主要用于BASE64形式的图片,字体等)
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline';img-src * 'self' data:;font-src 'self' data:">下面是官方示例:
<!-- Good default declaration: * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: * Enable inline JS: add 'unsafe-inline' to default-src * Enable eval(): add 'unsafe-eval' to default-src--><meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"><!-- Allow everything but only from the same origin and foo.com --><meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"><!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that * CSS only from the same origin and inline styles, * scripts only from the same origin and inline styles, and eval()--><meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"><!-- Allows XHRs only over HTTPS on the same domain. --><meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"><!-- Allow iframe to https://cordova.apache.org/ --><meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org">