全局安全检查完善：注入bridge的时候，如果没有通过安全校验，则移除注入的bridge对象

Author: lemon

.idea/misc.xml

@@ -21,11 +21,19 @@
         function toast(params = 'toast data') {
             window.easyBridge.callHandler('toast', 'toast with:' + params + 'at ' + new Date().toLocaleString());
         }
+
+        function jumpToPage(){
+            var url=document.getElementById('tv_url').value;
+            window.open(url);
+        }
     </script>
 </head>
 
 <body>
 
+<input type="text" value="http://google.com" id="tv_url">
+<input type="button" value="jump" onclick="jumpToPage()">
+
 <a href="javascript:toast('click toast')">
     <h3>测试Toast</h3>
 </a>

app/src/main/assets/demo.html

@@ -1,15 +1,14 @@
 package easily.tech.easybridge
 
+import android.net.Uri
 import android.os.Build
 import android.support.v7.app.AppCompatActivity
 import android.os.Bundle
-import android.webkit.WebChromeClient
-import android.webkit.WebView
+import android.webkit.*
 import android.widget.Toast
 import easily.tech.easybridge.handler.ToastHandler
 import easily.tech.easybridge.lib.EasyBridgeWebChromeClient
 import easily.tech.easybridge.lib.ResultCallBack
-import easily.tech.easybridge.lib.SecurityPolicyChecker
 import kotlinx.android.synthetic.main.activity_main.*
 
 class MainActivity : AppCompatActivity() {
@@ -20,7 +19,27 @@ class MainActivity : AppCompatActivity() {
             WebView.setWebContentsDebuggingEnabled(true)
         }
         setContentView(R.layout.activity_main)
+        webView.webViewClient = object : WebViewClient() {
+            override fun shouldOverrideUrlLoading(view: WebView?, url: String?): Boolean {
+                return false
+            }
+        }
+        // set a global security checker,all the url with scheme https/http is not allowed to using the bridge
+        webView.setPolicyChecker(({ url, parameters ->
+            val page = Uri.parse(url)
+            when (parameters) {
+            // control the bridge inject action
+                EasyBridgeWebChromeClient.SECURITY_CHECK_PARAMETERS -> when (page.scheme) {
+                    "http" -> false
+                    "https" -> false
+                    else -> true
+                }
+                else -> true
+            }
+        }))
+
         webView.registerHandler(ToastHandler(this))
+
         webView.loadUrl("file:///android_asset/demo.html")
         // call JavaScript From Java
         webView.postDelayed({
@@ -32,4 +51,12 @@ class MainActivity : AppCompatActivity() {
             })
         }, 5000)
     }
+
+    override fun onBackPressed() {
+        if (webView.canGoBack()) {
+            webView.goBack()
+        } else {
+            super.onBackPressed()
+        }
+    }
 }

app/src/main/java/easily/tech/easybridge/MainActivity.kt

@@ -10,16 +10,12 @@ public class EasyBridgeWebChromeClient extends WebChromeClient {
 
     private static final String BRIDGE_SCRIPT_PATH = "easybridge.js";
     private static final String JAVA_SCRIPT_PROTOCOL = "javascript:";
-
-
-    protected SecurityPolicyChecker securityPolicyChecker;
-
+    public static final String SECURITY_CHECK_PARAMETERS = "inject bridge script";
     private boolean isInjected;
     private EasyBridgeWebView easyBridgeWebView;
 
     public EasyBridgeWebChromeClient(EasyBridgeWebView webView) {
         this.easyBridgeWebView = webView;
-        this.securityPolicyChecker = webView.getPolicyChecker();
     }
 
     @Override
@@ -28,13 +24,29 @@ public void onProgressChanged(WebView view, int newProgress) {
         // inject the bridge code when the progress above 25% to make sure it worked
         if (newProgress <= 25) {
             isInjected = false;
-        } else if (!isInjected) {
-            if (securityPolicyChecker == null || securityPolicyChecker.check(view.getUrl(), "")) {
+            return;
+        }
+        if (!isInjected) {
+            // TODO: 2018/4/3 it seems that the url received here possibly not the same as the real page url we look forward to
+            if (easyBridgeWebView.checkSecurityGlobally(view.getUrl(), SECURITY_CHECK_PARAMETERS)) {
                 isInjected = true;
-                String bridgeScript = Utils.readAssetFile(view.getContext(), BRIDGE_SCRIPT_PATH);
-                String executeScript = "var bridgeName = " + "\"" + easyBridgeWebView.getBridgeName() + "\"" + ";" + bridgeScript;
-                view.loadUrl(String.format("%s%s", JAVA_SCRIPT_PROTOCOL, executeScript));
+                injectBridge(view);
+            } else {
+                deleteBridge(view);
             }
         }
     }
+
+    private void injectBridge(WebView view) {
+        String bridgeScript = Utils.readAssetFile(view.getContext(), BRIDGE_SCRIPT_PATH);
+        String executeScript = "var bridgeName = " + "\"" + easyBridgeWebView.getBridgeName() + "\"" + ";" + bridgeScript;
+        view.loadUrl(String.format("%s%s", JAVA_SCRIPT_PROTOCOL, executeScript));
+    }
+
+    private void deleteBridge(WebView view) {
+        // execute script below to remove the bridge had set before :
+        // delete _easybridge;
+        String script = "delete " + EasyBridgeWebView.MAPPING_JS_INTERFACE_NAME + ";";
+        view.loadUrl(String.format("%s%s", JAVA_SCRIPT_PROTOCOL, script));
+    }
 }

easybridge/src/main/java/easily/tech/easybridge/lib/EasyBridgeWebChromeClient.java

@@ -10,11 +10,20 @@
 import easily.tech.easybridge.lib.handler.BridgeHandler;
 
 /**
+ * this class is the main entrance of the library,you are supposed to do things as bellow:
+ * 1. register handler that to be call by JavaScript:{@link #registerHandler(BridgeHandler)}
+ * 2. set a global security checker:{@link #setPolicyChecker(SecurityPolicyChecker)}
+ *    before inject a bridge,you will receive a check request with the parameters:{@link EasyBridgeWebChromeClient#SECURITY_CHECK_PARAMETERS},make your idea about it;
+ * 3. you can make a global security check by:{@link #checkSecurityGlobally(String, String)}
+ * 4. you can call the JavaScript function with:{@link #callHandler(String, String, ResultCallBack)},
+ *    but make sure before:you had register a JavaScript handler using the bridge,the code is like below:
+ *    "window.easyBridge.registerHandler(handlerName,realFunction)"
+ * <p>
  * Created by lemon on 29/03/2018.
  */
 public class EasyBridgeWebView extends WebView {
 
-    private static final String MAPPING_JS_INTERFACE_NAME = "_easybridge";
+    static final String MAPPING_JS_INTERFACE_NAME = "_easybridge";
     private static final String DEFAULT_BRIDGE_NAME = "easyBridge";
     private final EasyBridge easyBridge;
     private String bridgeName = DEFAULT_BRIDGE_NAME;
@@ -79,10 +88,16 @@ public String getBridgeName() {
         return bridgeName;
     }
 
-    public SecurityPolicyChecker getPolicyChecker() {
-        return policyChecker;
+    public boolean checkSecurityGlobally(String url, String parameters) {
+        return policyChecker == null || policyChecker.check(url, parameters);
     }
 
+    /**
+     * make sure that ,the instance {@link SecurityPolicyChecker} set here is working globally,
+     * if the security checked failed ,the bridge is not allowed to using (it will remove the bridge inner)
+     *
+     * @param policyChecker a global {@link SecurityPolicyChecker} instance
+     */
     public void setPolicyChecker(SecurityPolicyChecker policyChecker) {
         this.policyChecker = policyChecker;
     }