WebView注入Java对象注意事项
来源:互联网 发布:山西知达常青藤中学校 编辑:程序博客网 时间:2024/06/04 01:07
class JsObject { @JavascriptInterface public String toString() { return "injectedObject"; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");
在android4.2以前,注入步骤如下:
- webview.getSetting().setJavaScriptEnable(true);
- class JsObject {
- public String toString() { return "injectedObject"; }
- }
- webView.addJavascriptInterface(new JsObject(), "injectedObject");
Android4.2及以后,注入步骤如下:
- webview.getSetting().setJavaScriptEnable(true);
- class JsObject {
- @JavascriptInterface
- public String toString() { return "injectedObject"; }
- }
- webView.addJavascriptInterface(new JsObject(), "injectedObject");
发现区别没?4.2之前向webview注入的对象所暴露的接口toString没有注释语句@JavascriptInterface,而4.2及以后的则多了注释语句@JavascriptInterface
经过查官方文档所知,因为这个接口允许JavaScript 控制宿主应用程序,这是个很强大的特性,但同时,在4.2的版本前存在重大安全隐患,因为JavaScript 可以使用反射访问注入webview的java对象的public fields,在一个包含不信任内容的WebView中使用这个方法,会允许攻击者去篡改宿主应用程序,使用宿主应用程序的权限执行java代码。因此4.2以后,任何为JS暴露的接口,都需要加
<span class="lit" style="color: rgb(0, 102, 102);"><span style="font-size: 18px;">@JavascriptInterface</span></span>注释,这样,这个Java对象的fields 将不允许被JS访问。
官方文档说明:
From the Android 4.2 documentation:
Caution: If you've set your targetSdkVersion to 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available your web page code (the method must also be public). If you do not provide the annotation, then the method will not accessible by your web page when running on Android 4.2 or higher.
注:如果将targetSdkVersion 设置为17或者更高,但却没有给暴露的js接口加@JavascriptInterface注释,则logcat会报如下输出:E/Web Console: Uncaught TypeError: Object [object Object] has no method 'toString'
public void addJavascriptInterface (Object object, String name)
Injects the supplied Java object into this WebView. The object is injected into the JavaScript context of the main frame, using the supplied name. This allows the Java object's methods to be accessed from JavaScript. For applications targeted to API level JELLY_BEAN_MR1
and above, only public methods that are annotated with JavascriptInterface
can be accessed from JavaScript. For applications targeted to API level JELLY_BEAN
or below, all public methods (including the inherited ones) can be accessed, see the important security note below for implications.
Note that injected objects will not appear in JavaScript until the page is next (re)loaded. For example:
<pre name="code" class="java">class JsObject { @JavascriptInterface public String toString() { return "injectedObject"; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");
IMPORTANT:
- This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level
JELLY_BEAN
or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content. - JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety.
- The Java object's fields are not accessible.
Parameters
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项
- WebView注入Java对象注意事项,4.2之前版本,4.2之后的区别
- WebView注入Java对象注意事项 [INFO:CONSOLE(475)] "Uncaught TypeError: Object [object Object] has no method
- ====== 4.2不一样======WebView注入Java对象注意事项
- Android中向WebView注入java对象不起作用解决办法
- popwindow添加EditText后键盘不能弹出
- Spring依赖注入的XML配置文件的实现思想(2)——简单的实现
- 设计模式 - 策略和职责链模式 C++
- Oracle同一个数据库不同用户下进行数据同步
- 端口扫描原理(转)
- WebView注入Java对象注意事项
- ReDim 语句
- Java POI 写入Excel
- jquery实现一个简单的弹出框(www.lnctime.com)
- Android状态栏显示电池状态代码流程分析
- Visio中添加《include》包含符号
- H264 帧结构
- Http登陆qq空间
- Android自定义控件——自定义组合控件