WebView whitelist

1. Time to add white list verification

1.loadurl
2.shouldOverRideUrlLoading
3. If you need to classify the security level of the white list , Still need to be in JavascriptInterface Add verification function to ,JavascriptInterface Required in webview.getUrl() To get webview Current domain
Risk warning :
If you do all the above, you may be attacked , For example, there are servers in the white list XSS Loophole , Or the server in the white list is controlled by the attacker , perhaps webview The access did not use a secure transmission channel, resulting in being hijacked by intermediaries , Can inject malicious into the white list trust domain JavaScript

2. Code implementation

private  boolean checkDomain(String inputUrl) throws  URISyntaxException {
    if (!inputUrl.startsWith("http://")&&!inputUrl.startsWith("https://"))     {
       // Important reminder ： It is recommended to use only https Protocol communication , Avoid man in the middle attacks 
        return false;
    }
    String[] whiteList=new String[]{"site1.com","site2.com"};
    java.net.URI url=new java.net.URI(inputUrl);
    String inputDomain=url.getHost(); 
    // extract host, If verification is required Path Can pass url.getPath() obtain 
    for (String whiteDomain:whiteList)
    {
        if (inputDomain.endsWith("."+whiteDomain)||inputDomain.equals(whiteDomain)) //www.site1.com      app.site2.com
            return true;
    }
    return  false;
}

It can be summarized as the following development suggestions ：
Do not use indexOf This fuzzy matching function ;
Don't write regular expressions to match ;
Use as much as possible Java Encapsulated method of obtaining domain name , such as java.net.URI, Do not use java.net.URL;
Not only to set a white list for domain names , Also set a white list for the agreement , Commonly used HTTP and HTTPS Two protocols , However, it is strongly recommended not to use HTTP agreement , Because of the mobile Internet era , The threshold for mobile phones to be attacked by intermediaries is very low , Make a malice WiFi You can hijack mobile network traffic ;
The principle of minimizing permissions , Try to use a more accurate domain name or path .
Of course, the above code may not fully meet the needs of business development , Here is just a reference , You can refer to the case of this article to develop a more suitable verification method .

This blog is learned from this blog
https://blog.csdn.net/weixin_33816946/article/details/94607053