Restrict which web pages can call which JavaScript APIs (JSAPIs) in the mPaaS H5 container by implementing a custom access control provider.
By default, any page loaded in the H5 container can invoke any JSAPI. Implementing H5JSApiPermissionProvider lets you gate each JSAPI call by URL domain and scheme before it executes.
Procedure
-
Implement a custom access control provider. Create a class that implements
H5JSApiPermissionProviderand override its two methods:public class H5JSApiPermissionProviderImpl implements H5JSApiPermissionProvider { @Override public boolean hasDomainPermission(String jsapi, String url) { // Called for every JSAPI request. Return true to allow, false to deny. // Always check jsapi, url, and uri for null before use to avoid NullPointerException. Uri uri = Uri.parse(url); String domain = uri.getHost(); String scheme = uri.getScheme(); if (!TextUtils.isEmpty(domain) && domain.equals("www.example.com") && "https".equals(scheme)) { return true; } else { return false; } } @Override public boolean hasThisPermission(String jsapi, String url) { // Controls JSAPI-level permission regardless of URL. // Return false to defer all per-JSAPI decisions to hasDomainPermission. return false; } }Method reference:
Method
Parameters
Return value
hasDomainPermission(String jsapi, String url)jsapi: JSAPI name being called;url: URL of the calling pagetrueto allow the call;falseto deny ithasThisPermission(String jsapi, String url)Same as above
trueto grant permission at the JSAPI level, bypassing domain checks;falseto rely onhasDomainPermissionImportantMatch URLs precisely. Always check at minimum the URI scheme and host. Avoid imprecise string methods such as
contains,startsWith,endsWith, andindexOf. Use regular expressions only if you can guarantee they are anchored and unambiguous. -
Register the provider. Call
setProviderafter mPaaS initializes and before the H5 container launches.H5Utils.setProvider(H5JSApiPermissionProvider.class.getName(), new H5JSApiPermissionProviderImpl());