作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我们最近收到了一封来自 google 的电子邮件,内容涉及我们在 google play 商店上发布的应用程序。
以下是他们在邮件中的陈述。
Hello Google Play Developer,
The apps listed at the end of this email have a WebView File-based Cross-Site Scripting issue which can allow a malicious network to access any file accessible to your app.
What's happening
One or more of your apps contain a File-based Cross-Site Scripting vulnerability that must be fixed. Please refer to the notice on your Play Console for the deadline to fix this vulnerability. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.
Action required
WebViews with WebSettings that set either setAllowFileAccessFromFileURLs orsetAllowUniversalAccessFromFileURLs to true must not load any untrusted web content. This includes content from trusted domains that is loaded over HTTP. Malicious web content or networks can inject scripts to redirect the WebView to a malicious file and launch a Cross-Site Scripting attack to access private local files or cookies.
You should prevent this vulnerability in one of the following ways:
Ensure that WebViews do not have dangerous settings - You can update yourandroid:targetSdkVersion in your Manifest to be at least 16 to use safe default settings for WebView. Otherwise, you can callsetAllowFileAccessFromFileURLs(false) andsetAllowUniversalAccessFromFileURLs(false) to ensure that their WebViews are safe.
Ensure that WebViews cannot load file:// URLs or execute JavaScript - You can call setAllowFileAccess(false) to prevent WebViews with dangerous settings from loading file:// URLs or call setJavaScriptEnabled(false) to prevent WebViews with dangerous settings from executing JavaScript code.
Ensure that WebViews with dangerous settings not load untrusted web content - If a WebView needs to enable these dangerous settings, you must ensure that it does not load untrusted web content.
We recommend that you also ensure that WebViews with dangerous settings do not load web content over HTTP. You can set android:usesCleartextTraffic=false or set aNetwork Security Config that disallows HTTP traffic in your Manifest. Alternatively, you can ensure that any WebViews with dangerous settings do not load any URLs with HTTP schemes.
Lastly, you should also ensure that WebViews with dangerous settings do not load URLs obtained from untrusted sources.
Next steps
Update your app using the steps highlighted above.
Sign in to your Play Console and submit the updated version of your app.
Check back after five hours; we will show a warning message if the app hasn't been updated correctly.
现在的问题是我们实际上在我们的应用程序中加载了本地 html 文件,这需要一些 javascript 交互以及需要访问本地资源,因此我们必须保持以下权限为真。
callsetAllowFileAccessFromFileURLs(true). setAllowUniversalAccessFromFileURLs(false). setJavaScriptEnabled(true).
可能的解决方案是什么以及我如何安全地防止我的应用程序中的漏洞?
最佳答案
首先,如果您使用的是 WebView ,请添加以下代码:
webView.getSettings().setLoadsImagesAutomatically(true);
webView.getSettings().setJavaScriptEnabled(true);
webView.setInitialScale(1);
webView.getSettings().setDefaultZoom(WebSettings.ZoomDensity.FAR);
webView.getSettings().setLoadWithOverviewMode(true);
webView.getSettings().setUseWideViewPort(true);
webView.getSettings().setBuiltInZoomControls(false);
webView.getSettings().setDisplayZoomControls(false);
webView.getSettings().setDomStorageEnabled(true);
webView.getSettings().setAllowFileAccess(true);
您还必须将以下代码添加到 manifest.xml
中:
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
我希望它能解决你的问题。
关于android - Google Play 警告 : Your app contains a File-based XSS issue? JavaScript 启用 = True,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50791306/
我是一名优秀的程序员,十分优秀!