diff options
Diffstat (limited to 'plugins/cordova-plugin-whitelist')
| -rw-r--r-- | plugins/cordova-plugin-whitelist/CONTRIBUTING.md | 37 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/LICENSE | 202 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/NOTICE | 5 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/README.md | 144 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/RELEASENOTES.md | 28 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/package.json | 34 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/plugin.xml | 47 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java | 161 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h | 31 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m | 89 | ||||
| -rw-r--r-- | plugins/cordova-plugin-whitelist/whitelist.js | 27 |
11 files changed, 805 insertions, 0 deletions
diff --git a/plugins/cordova-plugin-whitelist/CONTRIBUTING.md b/plugins/cordova-plugin-whitelist/CONTRIBUTING.md new file mode 100644 index 00000000..e4a178f5 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/CONTRIBUTING.md @@ -0,0 +1,37 @@ +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--> + +# Contributing to Apache Cordova + +Anyone can contribute to Cordova. And we need your contributions. + +There are multiple ways to contribute: report bugs, improve the docs, and +contribute code. + +For instructions on this, start with the +[contribution overview](http://cordova.apache.org/#contribute). + +The details are explained there, but the important items are: + - Sign and submit an Apache ICLA (Contributor License Agreement). + - Have a Jira issue open that corresponds to your contribution. + - Run the tests so your patch doesn't break existing functionality. + +We look forward to your contributions! diff --git a/plugins/cordova-plugin-whitelist/LICENSE b/plugins/cordova-plugin-whitelist/LICENSE new file mode 100644 index 00000000..7a4a3ea2 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License.
\ No newline at end of file diff --git a/plugins/cordova-plugin-whitelist/NOTICE b/plugins/cordova-plugin-whitelist/NOTICE new file mode 100644 index 00000000..8ec56a52 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/NOTICE @@ -0,0 +1,5 @@ +Apache Cordova +Copyright 2012 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (http://www.apache.org/). diff --git a/plugins/cordova-plugin-whitelist/README.md b/plugins/cordova-plugin-whitelist/README.md new file mode 100644 index 00000000..77944c31 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/README.md @@ -0,0 +1,144 @@ +<!--- + license: Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +# cordova-plugin-whitelist + +This plugin implements a whitelist policy for navigating the application webview on Cordova 4.0 + +## Supported Cordova Platforms + +* Android 4.0.0 or above +* iOS 4.0.0 or above + +## Navigation Whitelist +Controls which URLs the WebView itself can be navigated to. Applies to +top-level navigations only. + +Quirks: on Android it also applies to iframes for non-http(s) schemes. + +By default, navigations only to `file://` URLs, are allowed. To allow other +other URLs, you must add `<allow-navigation>` tags to your `config.xml`: + + <!-- Allow links to example.com --> + <allow-navigation href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-navigation href="*://*.example.com/*" /> + + <!-- A wildcard can be used to whitelist the entire network, + over HTTP and HTTPS. + *NOT RECOMMENDED* --> + <allow-navigation href="*" /> + + <!-- The above is equivalent to these three declarations --> + <allow-navigation href="http://*/*" /> + <allow-navigation href="https://*/*" /> + <allow-navigation href="data:*" /> + +## Intent Whitelist +Controls which URLs the app is allowed to ask the system to open. +By default, no external URLs are allowed. + +On Android, this equates to sending an intent of type BROWSEABLE. + +This whitelist does not apply to plugins, only hyperlinks and calls to `window.open()`. + +In `config.xml`, add `<allow-intent>` tags, like this: + + <!-- Allow links to web pages to open in a browser --> + <allow-intent href="http://*/*" /> + <allow-intent href="https://*/*" /> + + <!-- Allow links to example.com to open in a browser --> + <allow-intent href="http://example.com/*" /> + + <!-- Wildcards are allowed for the protocol, as a prefix + to the host, or as a suffix to the path --> + <allow-intent href="*://*.example.com/*" /> + + <!-- Allow SMS links to open messaging app --> + <allow-intent href="sms:*" /> + + <!-- Allow tel: links to open the dialer --> + <allow-intent href="tel:*" /> + + <!-- Allow geo: links to open maps --> + <allow-intent href="geo:*" /> + + <!-- Allow all unrecognized URLs to open installed apps + *NOT RECOMMENDED* --> + <allow-intent href="*" /> + +## Network Request Whitelist +Controls which network requests (images, XHRs, etc) are allowed to be made (via cordova native hooks). + +Note: We suggest you use a Content Security Policy (see below), which is more secure. This whitelist is mostly historical for webviews which do not support CSP. + +In `config.xml`, add `<access>` tags, like this: + + <!-- Allow images, xhrs, etc. to google.com --> + <access origin="http://google.com" /> + <access origin="https://google.com" /> + + <!-- Access to the subdomain maps.google.com --> + <access origin="http://maps.google.com" /> + + <!-- Access to all the subdomains on google.com --> + <access origin="http://*.google.com" /> + + <!-- Enable requests to content: URLs --> + <access origin="content:///*" /> + + <!-- Don't block any requests --> + <access origin="*" /> + +Without any `<access>` tags, only requests to `file://` URLs are allowed. However, the default Cordova application includes `<access origin="*">` by default. + +Quirk: Android also allows requests to https://ssl.gstatic.com/accessibility/javascript/android/ by default, since this is required for TalkBack to function properly. + +### Content Security Policy +Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly). + +On Android and iOS, the network request whitelist (see above) is not able to filter all types of requests (e.g. `<video>` & WebSockets are not blocked). So, in addition to the whitelist, you should use a [Content Security Policy](http://content-security-policy.com/) `<meta>` tag on all of your pages. + +On Android, support for CSP within the system webview starts with KitKat (but is available on all versions using Crosswalk WebView). + +Here are some example CSP declarations for your `.html` pages: + + <!-- Good default declaration: + * gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication + * https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly + * Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this: + * Enable inline JS: add 'unsafe-inline' to default-src + * Enable eval(): add 'unsafe-eval' to default-src + --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *"> + + <!-- Allow requests to foo.com --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com"> + + <!-- Enable all requests, inline styles, and eval() --> + <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> + + <!-- Allow XHRs via https only --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:"> + + <!-- Allow iframe to https://cordova.apache.org/ --> + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://cordova.apache.org"> diff --git a/plugins/cordova-plugin-whitelist/RELEASENOTES.md b/plugins/cordova-plugin-whitelist/RELEASENOTES.md new file mode 100644 index 00000000..703552ca --- /dev/null +++ b/plugins/cordova-plugin-whitelist/RELEASENOTES.md @@ -0,0 +1,28 @@ +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--> +# Release Notes + +### 1.0.0 (Mar 25, 2015) +* CB-8739 added missing license headers +* Add @Override to CustomConfigXmlParser methods +* Change ID to cordova-plugin-whitelist rather than reverse-DNS-style +* Tweak CSP examples in README +* CB-8660 remove extra commas from package.json diff --git a/plugins/cordova-plugin-whitelist/package.json b/plugins/cordova-plugin-whitelist/package.json new file mode 100644 index 00000000..3bffcbcc --- /dev/null +++ b/plugins/cordova-plugin-whitelist/package.json @@ -0,0 +1,34 @@ +{ + "name": "cordova-plugin-whitelist", + "version": "1.0.1-dev", + "description": "Cordova Whitelist Plugin", + "cordova": { + "platforms": [ + "android", + "ios" + ] + }, + "repository": { + "type": "git", + "url": "https://git-wip-us.apache.org/repos/asf/cordova-plugin-whitelist.git" + }, + "keywords": [ + "cordova", + "whitelist", + "ecosystem:cordova", + "cordova-android", + "cordova-ios" + ], + "engines": [ + { + "name": "cordova-android", + "version": ">=4.0.0-dev" + }, + { + "name": "cordova-ios", + "version": ">=4.0.0-dev" + } + ], + "author": "Apache Software Foundation", + "license": "Apache 2.0" +} diff --git a/plugins/cordova-plugin-whitelist/plugin.xml b/plugins/cordova-plugin-whitelist/plugin.xml new file mode 100644 index 00000000..6e6b0e0a --- /dev/null +++ b/plugins/cordova-plugin-whitelist/plugin.xml @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +<plugin xmlns="http://apache.org/cordova/ns/plugins/1.0" + id="cordova-plugin-whitelist" + version="1.0.1-dev"> + <name>Whitelist</name> + <description>Cordova Network Whitelist Plugin</description> + <license>Apache 2.0</license> + <keywords>cordova,whitelist,policy</keywords> + + <engines> + <engine name="cordova-android" version=">=4.0.0-dev" /> + </engines> + + <platform name="android"> + <config-file target="res/xml/config.xml" parent="/*"> + <feature name="Whitelist" > + <param name="android-package" value="org.apache.cordova.whitelist.WhitelistPlugin"/> + <param name="onload" value="true" /> + </feature> + </config-file> + + <source-file src="src/android/WhitelistPlugin.java" target-dir="src/org/apache/cordova/whitelist" /> + + <js-module src="whitelist.js" name="whitelist"> + <runs /> + </js-module> + </platform> +</plugin> diff --git a/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java b/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java new file mode 100644 index 00000000..4e4f57e1 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/src/android/WhitelistPlugin.java @@ -0,0 +1,161 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +*/ + +package org.apache.cordova.whitelist; + +import org.apache.cordova.CordovaPlugin; +import org.apache.cordova.ConfigXmlParser; +import org.apache.cordova.Whitelist; +import org.xmlpull.v1.XmlPullParser; + +import android.content.Context; +import android.util.Log; + +public class WhitelistPlugin extends CordovaPlugin { + private static final String LOG_TAG = "WhitelistPlugin"; + private Whitelist allowedNavigations; + private Whitelist allowedIntents; + private Whitelist allowedRequests; + + // Used when instantiated via reflection by PluginManager + public WhitelistPlugin() { + } + // These can be used by embedders to allow Java-configuration of whitelists. + public WhitelistPlugin(Context context) { + this(new Whitelist(), new Whitelist(), null); + new CustomConfigXmlParser().parse(context); + } + public WhitelistPlugin(XmlPullParser xmlParser) { + this(new Whitelist(), new Whitelist(), null); + new CustomConfigXmlParser().parse(xmlParser); + } + public WhitelistPlugin(Whitelist allowedNavigations, Whitelist allowedIntents, Whitelist allowedRequests) { + if (allowedRequests == null) { + allowedRequests = new Whitelist(); + allowedRequests.addWhiteListEntry("file:///*", false); + allowedRequests.addWhiteListEntry("data:*", false); + } + this.allowedNavigations = allowedNavigations; + this.allowedIntents = allowedIntents; + this.allowedRequests = allowedRequests; + } + @Override + public void pluginInitialize() { + if (allowedNavigations == null) { + allowedNavigations = new Whitelist(); + allowedIntents = new Whitelist(); + allowedRequests = new Whitelist(); + new CustomConfigXmlParser().parse(webView.getContext()); + } + } + + private class CustomConfigXmlParser extends ConfigXmlParser { + @Override + public void handleStartTag(XmlPullParser xml) { + String strNode = xml.getName(); + if (strNode.equals("content")) { + String startPage = xml.getAttributeValue(null, "src"); + allowedNavigations.addWhiteListEntry(startPage, false); + } else if (strNode.equals("allow-navigation")) { + String origin = xml.getAttributeValue(null, "href"); + if ("*".equals(origin)) { + allowedNavigations.addWhiteListEntry("http://*/*", false); + allowedNavigations.addWhiteListEntry("https://*/*", false); + allowedNavigations.addWhiteListEntry("data:*", false); + } else { + allowedNavigations.addWhiteListEntry(origin, false); + } + } else if (strNode.equals("allow-intent")) { + String origin = xml.getAttributeValue(null, "href"); + allowedIntents.addWhiteListEntry(origin, false); + } else if (strNode.equals("access")) { + String origin = xml.getAttributeValue(null, "origin"); + String subdomains = xml.getAttributeValue(null, "subdomains"); + boolean external = (xml.getAttributeValue(null, "launch-external") != null); + if (origin != null) { + if (external) { + Log.w(LOG_TAG, "Found <access launch-external> within config.xml. Please use <allow-intent> instead."); + allowedIntents.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); + } else { + if ("*".equals(origin)) { + allowedRequests.addWhiteListEntry("http://*/*", false); + allowedRequests.addWhiteListEntry("https://*/*", false); + } else { + allowedRequests.addWhiteListEntry(origin, (subdomains != null) && (subdomains.compareToIgnoreCase("true") == 0)); + } + } + } + } + } + @Override + public void handleEndTag(XmlPullParser xml) { + } + } + + @Override + public Boolean shouldAllowNavigation(String url) { + if (allowedNavigations.isUrlWhiteListed(url)) { + return true; + } + return null; // Default policy + } + + @Override + public Boolean shouldAllowRequest(String url) { + if (Boolean.TRUE == shouldAllowNavigation(url)) { + return true; + } + if (allowedRequests.isUrlWhiteListed(url)) { + return true; + } + return null; // Default policy + } + + @Override + public Boolean shouldOpenExternalUrl(String url) { + if (allowedIntents.isUrlWhiteListed(url)) { + return true; + } + return null; // Default policy + } + + public Whitelist getAllowedNavigations() { + return allowedNavigations; + } + + public void setAllowedNavigations(Whitelist allowedNavigations) { + this.allowedNavigations = allowedNavigations; + } + + public Whitelist getAllowedIntents() { + return allowedIntents; + } + + public void setAllowedIntents(Whitelist allowedIntents) { + this.allowedIntents = allowedIntents; + } + + public Whitelist getAllowedRequests() { + return allowedRequests; + } + + public void setAllowedRequests(Whitelist allowedRequests) { + this.allowedRequests = allowedRequests; + } +} diff --git a/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h b/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h new file mode 100644 index 00000000..d0b93654 --- /dev/null +++ b/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.h @@ -0,0 +1,31 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + */ + +#import <UIKit/UIKit.h> +#import <Cordova/CDVPlugin.h> +#import <Cordova/CDVWhitelist.h> + +@interface CDVNavigationWhitelistPlugin : CDVPlugin {} + +@property (nonatomic, readonly, strong) CDVWhitelist* whitelist; // readonly for public + +- (BOOL)shouldAllowNavigationToURL:(NSURL *)url; +- (BOOL)shouldAllowRequestForURL:(NSURL *)url; + +@end diff --git a/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m b/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m new file mode 100644 index 00000000..5895e89b --- /dev/null +++ b/plugins/cordova-plugin-whitelist/src/ios/CDVNavigationWhitelistPlugin.m @@ -0,0 +1,89 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + */ + +#import "CDVNavigationWhitelistPlugin.h" +#import <Cordova/CDVViewController.h> + +#pragma mark CDVNavigationWhitelistConfigParser + +@interface CDVNavigationWhitelistConfigParser : NSObject <NSXMLParserDelegate> {} + +@property (nonatomic, strong) NSMutableArray* whitelistHosts; + +@end + +@implementation CDVNavigationWhitelistConfigParser + +@synthesize whitelistHosts; + +- (id)init +{ + self = [super init]; + if (self != nil) { + self.whitelistHosts = [[NSMutableArray alloc] initWithCapacity:30]; + [self.whitelistHosts addObject:@"file:///*"]; + [self.whitelistHosts addObject:@"content:///*"]; + [self.whitelistHosts addObject:@"data:///*"]; + } + return self; +} + +- (void)parser:(NSXMLParser*)parser didStartElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName attributes:(NSDictionary*)attributeDict +{ + if ([elementName isEqualToString:@"allow-navigation"]) { + [whitelistHosts addObject:attributeDict[@"href"]]; + } +} + +- (void)parser:(NSXMLParser*)parser didEndElement:(NSString*)elementName namespaceURI:(NSString*)namespaceURI qualifiedName:(NSString*)qualifiedName +{ +} + +- (void)parser:(NSXMLParser*)parser parseErrorOccurred:(NSError*)parseError +{ + NSAssert(NO, @"config.xml parse error line %ld col %ld", (long)[parser lineNumber], (long)[parser columnNumber]); +} + + +@end + +#pragma mark CDVNavigationWhitelistPlugin + +@interface CDVNavigationWhitelistPlugin () {} +@property (nonatomic, strong) CDVWhitelist* whitelist; +@end + +@implementation CDVNavigationWhitelistPlugin + +@synthesize whitelist; + +- (void)setViewController:(UIViewController *)viewController +{ + if ([viewController isKindOfClass:[CDVViewController class]]) { + CDVWhitelistConfigParser *whitelistConfigParser = [[CDVWhitelistConfigParser alloc] init]; + [(CDVViewController *)viewController parseSettingsWithParser:whitelistConfigParser]; + self.whitelist = [[CDVWhitelist alloc] initWithArray:whitelistConfigParser.whitelistHosts]; + } +} + +- (BOOL)shouldAllowNavigationToURL:(NSURL *)url +{ + return [self.whitelist URLIsAllowed:url]; +} +@end diff --git a/plugins/cordova-plugin-whitelist/whitelist.js b/plugins/cordova-plugin-whitelist/whitelist.js new file mode 100644 index 00000000..74d7a99d --- /dev/null +++ b/plugins/cordova-plugin-whitelist/whitelist.js @@ -0,0 +1,27 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * +*/ + +if (!document.querySelector('meta[http-equiv=Content-Security-Policy]')) { + var msg = 'No Content-Security-Policy meta tag found. Please add one when using the cordova-plugin-whitelist plugin.'; + console.error(msg); + setInterval(function() { + console.warn(msg); + }, 10000); +} |