Cordova:通过HTTPS请求数据时Android上的CSP问题

时间:2015-12-07 22:50:08

标签: android cordova cordova-plugins cordova-3 osrm

  

Cordova Android是一个允许的Android应用程序库   基于Cordova的项目将为Android平台构建。科尔多瓦   基于应用程序的核心是用Web编写的应用程序   技术:HTML,CSS和JavaScript。 Apache Cordova是一个项目   Apache Software Foundation(ASF)。

我开发了一个使用Cordova的应用程序,可以在iOS上正常运行,在Android上将已签名的应用程序从Android Studio直接部署到Samsung S6。

但是,从Google Play下载应用时,它无法从HTTPS请求中获取请求的数据。

以下是config.xml中的白名单设置:

<plugin name="cordova-plugin-whitelist" version="1" />
<access origin="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
    <allow-intent href="market:*" />
</platform>
<platform name="ios">
    <allow-intent href="itms:*" />
    <allow-intent href="itms-apps:*" />
</platform>

index.html中的CSP设置

<meta http-equiv="Content-Security-Policy" content="default-src 'self' gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src *; connect-src *">

这是无法获取数据的请求(没有任何有意义的错误消息 - e.type只是一个空字符串)

_routingControl = L.Routing.control({
                                        plan: L.Routing.plan([
                                            L.latLng(coords),
                                            L.latLng(_userMarker.getLatLng())
                                        ],{
                                            createMarker: function() {return false}
                                        }),
                                        fitSelectedRoutes: true,
                                        autoRoute: true,
                                        show: false,
                                        serviceUrl: 'https://router.project-osrm.org/viaroute'
                                     });

由于这适用于iOS,我认为白名单/ CSP设置存在问题。

当有人从应用商店下载应用时,有人可以解释为什么这不起作用吗?

1 个答案:

答案 0 :(得分:0)

@barbu, your fix in just a second.

One of the things that is baffling me is developers going from a "Development IDE" to Google Play. As someone who builds with Phonegap Build, my workflow does not include a cable and 'adb'. Perhaps you can explain the reasoning with this process.

On you issues, you will need to implement the whitelist system. This worksheet should help.
HOW TO apply the Cordova/Phonegap the whitelist system

There is also document that is link from there to the Whitelist CSP Examples. In short, the way it is usually applied is the CSP is expanded from a webbrowser, then that meta element is added to the App. However in your case, you will likely work backwards.

The Fix

Typically, when I give the answer I give the whitelist and CSP. You may be able to start with just the CSP. Best of Luck.

Add this to your config.xml

<allow-navigation href="*" />
<allow-intent href="*" />
<access origin="*" /> <!-- Required for iOS9 -->

NOTE YOUR APP IS NOW INSECURE. IT IS UP TO YOU TO SECURE YOUR APP.
Add the following to your index.html

<meta http-equiv="Content-Security-Policy" 
         content="default-src *; 
                  style-src * 'self' 'unsafe-inline' 'unsafe-eval'; 
                  script-src * 'self' 'unsafe-inline' 'unsafe-eval';">

Sidenote: gap: from what I have right now, is only required for Cordova iOS, SEE: Simon Mac Donald Adds