如何解决"JavaScript接口注入漏洞的补救"? [英] How to address "Remediation for JavaScript Interface Injection Vulnerability"?
问题描述
Google已要求我解决 https://support.google.com/faqs/answer/9095419 在我的Android应用中,这基本上意味着不要对通过HTTP加载的网页使用JavaScript注入机制.
Google has asked me to address https://support.google.com/faqs/answer/9095419 in my Android app, which basically means not to use the JavaScript injection mechanism for a web page loaded via HTTP.
不使用此机制(选项1)对我不起作用.将android:usesCleartextTraffic设置为false也不起作用,因为该应用在其他地方使用了非HTTPS流量.这样就给我留下了您可以确保任何受影响的WebView都不会通过loadUrl通过HTTP方案加载任何URL",我很乐意这样做,因为我的应用仅使用file:///URL将内容加载到WebView中,这应该是安全的明智选择.但是,我需要如何编码shouldOverrideUrlLoading方法,以便Google的检查器可以识别出我仅使用file:///URL?
Not using this mechanism (option 1) doesn't work for me. Setting android:usesCleartextTraffic to false also doesn't work, as the app uses non-HTTPS traffic elsewhere. So that leaves me with "you can ensure that any affected WebViews do not load any URLs with HTTP schemes via loadUrl" - which I'm happy to do, as my app only uses file:/// URLs to load content into the WebView, which should be fine security-wise. But how do I need to code the shouldOverrideUrlLoading method so that Google's checker recognizes that I'm using only file:/// URLs?
请注意,该问题与针对JavaScript接口注入漏洞的补救措施(因为我很清楚要问的是什么)和在Android中,JavaScript接口注入漏洞(因为我不是使用HTTP,而是使用file:///URL).
Note that the question is different from both Remediation for JavaScript Interface Injection Vulnerability (because I'm clear what is being asked) and In Android, JavaScript Interface Injection Vulnerability (because I'm not using HTTP, but file:/// URLs).
添加我的shouldOverrideUrlLoading方法. (这不是全部方法,而是其中的重要部分.)
Adding my shouldOverrideUrlLoading method. (This isn't the entire method, but the salient part of it.)
@Override
public boolean shouldOverrideUrlLoading (WebView browser, String url) {
if (url.startsWith("file:///")) {
// This is my web site, so do not override; let my WebView load the page
browser.loadUrl(url);
return true;
}
// Otherwise, the link is not for a page on my site, or is an entirely different kind of URI
// (like tel:, geo: or mailto:), so launch another Activity that handles URLs
act.startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse(url)));
return true;
}
推荐答案
我还没有找到一种可满足Google代码检查器要求的将file://网址与资产一起使用的方法.尽管这可以解决问题,但我仍然不清楚如何编码.
I have not found a way to use file:// URLs with assets in a way that satisfies Google code checker. While this would solve the issue, I'm still not clear how one might need to code it.
我最终要做的-解决了我的紧迫问题-是通过WebView.evaluateJavascript方法调用JavaScript方法.从WebViewClient.onPageFinished内部调用时,页面已完成加载,因此可以访问所有元素.尽管对于我的情况而言并不重要,但是此方法也可以将值返回给Java代码.因此,尽管它不是JavascriptInterface的一般替代品,但它可以解决其一些用例.
What I ended up doing -which solves my immediate problem- is to call a JavaScript method via the WebView.evaluateJavascript method. When called from within WebViewClient.onPageFinished the page has finished loading, so all elements are accessible. While not important for my case, this method can also return a value to the Java code. So while it's not a general replacement for a JavascriptInterface, it addresses some of its uses cases.
这篇关于如何解决"JavaScript接口注入漏洞的补救"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
