android 4.2以后js 的问题
来源:互联网 发布:刷爱奇艺会员软件 编辑:程序博客网 时间:2024/06/06 00:00
在android4.2以前,注入步骤如下:
webview.getSetting().setJavaScriptEnable(true);
class JsObject {
public String toString() { return "injectedObject"; }
}
webView.addJavascriptInterface(new JsObject(), "injectedObject");
Android4.2及以后,注入步骤如下:
webview.getSetting().setJavaScriptEnable(true);
class JsObject {
@JavascriptInterface
public String toString() { return "injectedObject"; }
}
webView.addJavascriptInterface(new JsObject(), "injectedObject");
发现区别没?4.2之前向webview注入的对象所暴露的接口toString没有注释语句@JavascriptInterface,而4.2及以后的则多了注释语句@JavascriptInterface
经过查官方文档所知,因为这个接口允许JavaScript 控制宿主应用程序,这是个很强大的特性,但同时,在4.2的版本前存在重大安全隐患,因为JavaScript 可以使用反射访问注入webview的java对象的public fields,在一个包含不信任内容的WebView中使用这个方法,会允许攻击者去篡改宿主应用程序,使用宿主应用程序的权限执行java代码。因此4.2以后,任何为JS暴露的接口,都需要加
@JavascriptInterface
注释,这样,这个Java对象的fields 将不允许被JS访问。
官方文档说明:
From the Android 4.2 documentation:
Caution: If you've set your targetSdkVersion to 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available your web page code (the method must also be public). If you do not provide the annotation, then the method will not accessible by your web page when running on Android 4.2 or higher.
注:如果将targetSdkVersion 设置为17或者更高,但却没有给暴露的js接口加@JavascriptInterface注释,则logcat会报如下输出:
E/Web Console: Uncaught TypeError: Object [object Object] has no method 'toString'
public void addJavascriptInterface (Object object, String name)
Added in API level 1
Injects the supplied Java object into this WebView. The object is injected into the JavaScript context of the main frame, using the supplied name. This allows the Java object's methods to be accessed from JavaScript. For applications targeted to API level JELLY_BEAN_MR1 and above, only public methods that are annotated with JavascriptInterface can be accessed from JavaScript. For applications targeted to API level JELLY_BEAN or below, all public methods (including the inherited ones) can be accessed, see the important security note below for implications.
Note that injected objects will not appear in JavaScript until the page is next (re)loaded. For example:
class JsObject { @JavascriptInterface public String toString() { return "injectedObject"; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");
IMPORTANT:
This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.
JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety.
The Java object's fields are not accessible.
Parametersobjectthe Java object to inject into this WebView's JavaScript context. Null values are ignored.namethe name used to expose the object in JavaScript
根本原因之前的版本考虑不周全通过 js可以注入到android系统内反射的方式可以执行很多代码,权限过大。
- android 4.2以后js 的问题
- android 7.0以后的popouwindow弹出问题
- 以后设计的问题
- Android解决4.2的listview setadapter以后不能添加头布局的问题
- android 4.2 系统以后的飞行模式
- Android 6.0+以后权限问题
- 在导入design包以后,Android Studio R的问题
- js函数参数传递,引号的问题,第二次犯错,记下来,以后不能犯了!
- android 问题汇总—以后会不断更新。。。
- Android 6.0以后权限申请问题
- android 协作项目的签名文件的问题,以后补充一下
- android 写文件到SD卡以后,立即拔卡的问题
- android 蓝牙模块遇到的问题,关闭蓝牙以后下次不能正常连接
- 另辟思路解决Android 4.0以后不能监听和屏蔽Home键的问题
- Android JNI问题小结(留着以后有需要的时候看。)
- android集成环信遇到的一些问题记录一下方面以后查阅
- 特意记录下Android studio上传Github出现的问题,便于以后自己查看
- android studio2.3以后给apk签名打包后安装失败的问题[INSTALL_PARSE_FAILED_NO_CERTIFICATES]
- 今天,处女面就这么被阿里廉价的拿走了
- CentOS系统安装MySQL教程
- 伙伴地址
- MyMFC(7-9)对话框 CProp3
- BZOJ 1069: [SCOI2007]最大土地面积
- android 4.2以后js 的问题
- HTML与XHTML区别比较
- 慎用create table as select,一定要注意默认值的问题---大一临时表方法
- PHP intval bcmul 方法变了
- Android开发之FastJson概述与简单使用
- 执行了getHibernateTemplate.save(user)后,控制台有hql语句输出,显示已经将数据存到数据库了,也没有抛出异常,但是去oracle数据库查的时候,压根就没有数据。。。。请问
- SolrCloud原理
- MyMFC(7-9)对话框 CPropSheet
- 11个实用的CSS学习工具