Cordova:通过HTTPS请求数据时Android上的CSP问题 [英] Cordova: CSP issue on Android when requesting data over HTTPS
问题描述
Cordova Android是一个Android应用程序库,可用于 将为Android平台构建基于Cordova的项目.科尔多瓦 基于应用程序的核心是用Web编写的应用程序 技术:HTML,CSS和JavaScript. Apache Cordova是 Apache软件基金会(ASF).
Cordova Android is an Android application library that allows for Cordova-based projects to be built for the Android Platform. Cordova based applications are, at the core, applications written with web technology: HTML, CSS and JavaScript. Apache Cordova is a project of The Apache Software Foundation (ASF).
我使用Cordova开发了一个应用程序,该应用程序可以在iOS上正常运行,并且在将签名的应用程序从Android Studio直接部署到Samsung S6时可以在Android上运行.
I have developed an app with Cordova which works as expected on iOS, and on Android when the signed app gets deployed from Android Studio direct to a Samsung S6.
但是,从Google Play下载应用程序时,它不会从HTTPS请求中获取请求的数据.
However, when downloading the app from Google Play it does not get requested data from a HTTPS request.
这是config.xml中的白名单设置:
Here are the whitelist settings in the config.xml:
<plugin name="cordova-plugin-whitelist" version="1" />
<access origin="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
<allow-intent href="market:*" />
</platform>
<platform name="ios">
<allow-intent href="itms:*" />
<allow-intent href="itms-apps:*" />
</platform>
以及index.html中的CSP设置
And the CSP settings in the index.html
<meta http-equiv="Content-Security-Policy" content="default-src 'self' gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src *; connect-src *">
这是不获取数据的请求(没有任何有意义的错误消息-e.type只是一个空字符串)
This is the request that does not get the data (without any meaningful error message - e.type is just an empty string)
_routingControl = L.Routing.control({
plan: L.Routing.plan([
L.latLng(coords),
L.latLng(_userMarker.getLatLng())
],{
createMarker: function() {return false}
}),
fitSelectedRoutes: true,
autoRoute: true,
show: false,
serviceUrl: 'https://router.project-osrm.org/viaroute'
});
由于这在iOS上有效,所以我认为白名单/CSP设置存在问题.
Since this works on iOS I suppose there is an issue with the Whitelist/CSP setting.
有人可以解释为什么从应用商店下载应用后为什么这种方法不起作用?
Can somebody explain why this is not working when app is downloaded from the app store?
推荐答案
@barbu, 您的修复只需一秒钟.
@barbu, your fix in just a second.
困扰我的一件事是,开发人员从开发IDE"转到 Google Play .作为使用 Phonegap Build 进行构建的人,我的工作流程不包括电缆和"adb".也许您可以用这个过程来解释其原因.
One of the things that is baffling me is developers going from a "Development IDE" to Google Play. As someone who builds with Phonegap Build, my workflow does not include a cable and 'adb'. Perhaps you can explain the reasoning with this process.
在您遇到问题时,您将需要实施白名单系统.
该工作表应会有所帮助.
如何将Cordova/Phonegap应用到白名单系统
On you issues, you will need to implement the whitelist system.
This worksheet should help.
HOW TO apply the Cordova/Phonegap the whitelist system
There is also document that is link from there to the Whitelist CSP Examples. In short, the way it is usually applied is the CSP is expanded from a webbrowser, then that meta element is added to the App. However in your case, you will likely work backwards.
通常,当我给出答案时,我会给出白名单和 CSP .您可能只可以从 CSP 开始.祝你好运.
Typically, when I give the answer I give the whitelist and CSP. You may be able to start with just the CSP. Best of Luck.
将此添加到您的config.xml
<allow-navigation href="*" />
<allow-intent href="*" />
<access origin="*" /> <!-- Required for iOS9 -->
注意,您的应用现在不安全.保护您的应用程序完全取决于您.
将以下内容添加到您的index.html
NOTE YOUR APP IS NOW INSECURE. IT IS UP TO YOU TO SECURE YOUR APP.
Add the following to your index.html
<meta http-equiv="Content-Security-Policy"
content="default-src *;
style-src * 'self' 'unsafe-inline' 'unsafe-eval';
script-src * 'self' 'unsafe-inline' 'unsafe-eval';">
侧注: gap:从我现在的角度来看,仅是Cordova iOS所需,请参见:
Sidenote: gap: from what I have right now, is only required for Cordova iOS, SEE: Simon Mac Donald Adds
这篇关于Cordova:通过HTTPS请求数据时Android上的CSP问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
