在移动应用程序中嵌入具有CSP 2.0的Iframe:问题 [英] Embedding an Iframe having CSP 2.0 in a mobile app: "frame-ancestors" issue
问题描述
使用Ionic框架构建混合应用程序,我需要将Iframe嵌入到我的页面之一.我的问题是,装有iframe的页面确实具有以下CSP:
Building an hybrid app with the Ionic framework, I need to embed to one of my page an Iframe. My problem is that the page loaded with the iframe does have the following CSP:
"frame-ancestors http://foo.somedomain.com"
在我的浏览器上可以正常工作.但是,每当我在应用程序本身上尝试此操作时,由于以下原因,将不会加载内容:
Which works just fine on my browser. However whenever I try this on the application itself the content is not loaded due to:
拒绝在框架中显示" http://foo.somedomain.com ",因为 祖先违反了以下内容安全策略指令 框架祖先http://*.somedomain.com"
Refused to display 'http://foo.somedomain.com' in a frame because an ancestor violates the following Content Security Policy directive "frame-ancestors http://*.somedomain.com"
这很有意义,因为应用程序请求没有域.
That make sense as the app request doesn't have a domain.
所以我的问题很简单:
如何识别我的应用(iOS和Android)以通过框架祖先CSP?
I see that I can pass many things to that frame-ancestor: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors but I don't see how to validate that the request is coming from a mobile application.
推荐答案
On android, you can follow the steps at https://github.com/ionic-team/cordova-plugin-ionic-webview to specify a custom domain and scheme to use. Namely:
<preference name="Hostname" value="app" />
<preference name="Scheme" value="https" />
问题出在Ionic在iOS上使用网络服务器.仍在尝试找出那个.
The issue lies in Ionic's use of a webserver on iOS. Still trying to figure that one out.
这篇关于在移动应用程序中嵌入具有CSP 2.0的Iframe:问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!