如何动态更改科尔多瓦白名单? [英] How to dynamically change Cordova whitelist?
问题描述
我们有一个为客户提供多种白标解决方案的应用程序-这意味着它们托管在自己的域下.
We have an application that has multiple whitelabel solutions for clients - meaning they are hosted under their own domain.
我们有一个Cordova应用程序,希望用户可以使用此应用程序访问所有这些网站,但是我不想在每次签约新客户时都进行重新部署.
We have one Cordova app and we want that users can visit all these sites with this app, but I don't want to redeploy everytime we sign a new client.
- 是否可以通过url或其他方式加载白名单?这意味着我们可以通过数据库动态添加域.
- 将所有网址列入白名单时是否存在巨大的安全风险?
https://cordova.apache.org/docs/en/latest/guide/appdev/whitelist/
示例
为澄清起见,我希望有一个类似URL的东西,您可以指向每次启动白名单设置时它将加载的位置.
To clarify, I would love to have something like a URL that you can point to where it loads everytime on startup the whitelist settings.
http://myexampledomain.com/whitelist.config
<allow-navigation href="*.myexampledomain.com/*" />
<allow-navigation href="*.subdomain.someclientdomain.com/*" />
<allow-navigation href="*.subdomain.someclientdomainb.com/" />
<allow-navigation href="*.subdomain.someclientdomainc.com/" />
...此文件将在启动时自动加载.
...this file would be automatic loaded on startup.
创建基于JS的插件
如果没有当前的解决方案,是否可以通过创建(基于JavaScript的)Cordova插件来实现 safe ?就像当我们尝试加载的URL在白名单之外时手动重定向一样?
If there's not current solution, is it possible to do this safe by creating a (JavaScript based) Cordova plugin? Like manually redirecting when the URL we try to load is outside a whitelist?
这意味着我们会将Cordova列入白名单,并使用我们自己的插件将自己的白名单之外的所有内容拒之门外.
This means we would Cordova-whitelist everything and use our own plugin to block out everything outside our own whitelist.
(我知道当数据库受到威胁时,这是不安全的,但是在那种情况下,我们通常会遇到更大的问题.我们的应用很有趣,并且不依赖于关键功能)
推荐答案
根据我的经验,这里还有另外两个选择:
Here are a couple more options from my experience here:
-
使用InAppBrowser插件和"_system"目标打开URL.这应该在本机浏览器中打开URL,并且URL为全视图.似乎可以不进行白名单调整.
Open the URLs with the InAppBrowser plugin and the '_system' target. This should open the URL in the native browser, with the URL in full view. This seems to be allowed without whitelist adjustments.
window.open(url, '_system', 'location=yes,enableViewportScale=yes');
如果需要保留在您的应用程序中(而不打开本地浏览器),则可以执行骇人的解决方法,在其中加载您控制和信任的页面,然后将其传递给动态URL.然后,在该页面上,您可以有一个iframe,其源根据传入的参数动态更改.该应用程序可以通过querystring传递所需的URL,然后只需从那里更改iframe.
显然,将允许的URL限制为您控制的列表是很好的.
If you need to stay in your app (and not open the native browser), you could do a hacky work-around where you load a page that you control and trust, and pass it a dynamic URL. On that page you could then have a iframe whose source is dynamically changed based on the passed in parameters. The app could pass in the desired URL via querystring, then just change the iframe from there.
Obviously it'd be good to limit the URLs that you'll allow there to a list you control.
这篇关于如何动态更改科尔多瓦白名单?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
