All geek questions in one place

Android Iframe SameOrigin on user sites

We have an Android application that uses our website in its application. However, to prevent clicks, we have the following directive in our proxy configurations.

Title Add X-FRAME-OPTIONS "SAMEORIGIN"

This is a very common Cross-Origin resource sharing strategy.

Unfortunately, Webview in Android has a beginning like file:// , which is different from the domain we use. This results in an error that sameorigin to display x-frame-options on the sameorigin .

What strategies (both on the proxy and on the client side) Can I use so that the Android application can interact with our site (without FULL deleting the same)?

+5
source share
2 answers

Do not think that you can do it. Since Chromium does not see Allow-From as a function [1], and Android is heavily dependent on Chromiums frames for WebViews .

I assume your requirements are to block browser-based lookups?

Since you cannot use Allow-From . You might think of an approach similar to that described in this talk of BlackHat [2], UI Redressing Attacks on Android Devices . Id recommend reading the entire PDF is really interesting stuff.

Check out Chapter 5 MITIGATION TECHNIQUES, Section 1 Browser-Based UI Redressing .

 <styleid="antiClickjack"> body{display:none!important;} </style> <scripttype="text/javascript"> if(self===top){ varantiClickjack=document. getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); }else{ top.location=self.location; } </script>

[1] https://code.google.com/p/chromium/issues/detail?id=129139#c20
[2] https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

+2
source

WebView has a loadDataWithBaseURL () method. You can read in your file and pass it through any origin you need as a base URL.

 public void loadDataWithBaseURL(String baseUrl, String data, String mimeType, String encoding, String historyUrl)

Loads data into this WebView using baseUrl as the base URL for the content. The base URL is used both to resolve relative URLs and when applying the same JavaScript origin policy.

+2
source

Source: https://habr.com/ru/post/1240450/

More articles:


All Articles