在移动应用程序中嵌入具有CSP 2.0的Iframe:问题 [英] Embedding an Iframe having CSP 2.0 in a mobile app: "frame-ancestors" issue

问题描述

使用Ionic框架构建混合应用程序，我需要将Iframe嵌入到我的页面之一.我的问题是，装有iframe的页面确实具有以下CSP:

Building an hybrid app with the Ionic framework, I need to embed to one of my page an Iframe. My problem is that the page loaded with the iframe does have the following CSP:

"frame-ancestors http://foo.somedomain.com"

在我的浏览器上可以正常工作.但是，每当我在应用程序本身上尝试此操作时，由于以下原因，将不会加载内容:

Which works just fine on my browser. However whenever I try this on the application itself the content is not loaded due to:

拒绝在框架中显示" http://foo.somedomain.com "，因为 祖先违反了以下内容安全策略指令 框架祖先http://*.somedomain.com"

Refused to display 'http://foo.somedomain.com' in a frame because an ancestor violates the following Content Security Policy directive "frame-ancestors http://*.somedomain.com"

这很有意义，因为应用程序请求没有域.

That make sense as the app request doesn't have a domain.

所以我的问题很简单:

如何识别我的应用(iOS和Android)以通过框架祖先CSP?

我看到我可以将很多东西传递给该框架祖先:

I see that I can pass many things to that frame-ancestor: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors but I don't see how to validate that the request is coming from a mobile application.

推荐答案

在android上，您可以按照

On android, you can follow the steps at https://github.com/ionic-team/cordova-plugin-ionic-webview to specify a custom domain and scheme to use. Namely:

<preference name="Hostname" value="app" />

<preference name="Scheme" value="https" />

问题出在Ionic在iOS上使用网络服务器.仍在尝试找出那个.

The issue lies in Ionic's use of a webserver on iOS. Still trying to figure that one out.

这篇关于在移动应用程序中嵌入具有CSP 2.0的Iframe:问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！