1

我一直在为客户进行安全审查,并在 config.xml 中遇到了这一行,它是一个适用于 android 设备的 phonegap 应用程序

<access origin=".*"/>

如果它只是 origin=* 我会知道这意味着它可以访问任何其他站点。但是 .* 是什么意思?和*一样吗​​?

谢谢

4

3 回答 3

1

来自 Cordova Android源代码

private void _addWhiteListEntry(String origin, boolean subdomains) {
    try {
        // Unlimited access to network resources
        if (origin.compareTo("*") == 0) {
            LOG.d(TAG, "Unlimited access to network resources");
            this.whiteList.add(Pattern.compile(".*"));
        } else { // specific access
            // check if subdomains should be included
            // TODO: we should not add more domains if * has already been added
            if (subdomains) {
                // XXX making it stupid friendly for people who forget to include protocol/SSL
                if (origin.startsWith("http")) {
                    this.whiteList.add(Pattern.compile(origin.replaceFirst("https?://", "^https?://(.*\\.)?")));
                } else {
                    this.whiteList.add(Pattern.compile("^https?://(.*\\.)?" + origin));
                }
                LOG.d(TAG, "Origin to allow with subdomains: %s", origin);
            } else {
                // XXX making it stupid friendly for people who forget to include protocol/SSL
                if (origin.startsWith("http")) {
                    this.whiteList.add(Pattern.compile(origin.replaceFirst("https?://", "^https?://")));
                } else {
                    this.whiteList.add(Pattern.compile("^https?://" + origin));
                }
                LOG.d(TAG, "Origin to allow: %s", origin);
            }
        }
    } catch (Exception e) {
        LOG.d(TAG, "Failed to add origin %s", origin);
    }
}

所以很明显,如果不完全是,他们将所有内容都视为正则表达式*。相信这种行为可能不是一个好主意,因为它没有记录在案,也没有在目标W3C Widget Access规范中。(我认为这甚至可能不是故意的。)

但是.*,它仍然在 PhoneGap 2.5.0 项目模板中使用,所以现在没问题,只要您使用一个版本的 PhoneGap。

于 2013-03-03T18:18:48.817 回答
0

The * means wildcard. When having the * present, it means that the app can access any external site. It you replace the * with a domain, then it will only allow the app to access that paricular site.

<access origin="*" /> // all external domains
<access origin="http://google.com" /> // app can only reach google all other doamins are restricted
于 2014-12-24T03:56:43.030 回答
0

我认为没有必要:

http://www.w3.org/TR/widgets-access/

PhoneGap 文档中未提及:

http://docs.phonegap.com/en/2.5.0/guide_whitelist_index.md.html#Domain%20Whitelist%20Guide

这是正则表达式:

http://www.regular-expressions.info/reference.html

".*" matches 
"def" "ghi" in 
abc "def" "ghi" jkl
于 2013-03-03T18:09:06.193 回答