This article aims to deeply explore the technical details of the Huawei HarmonyOS Next system (up to API 12 as of now), and is summarized based on actual development practices.
It mainly serves as a vehicle for technical sharing and communication. Mistakes and omissions are inevitable. Colleagues are welcome to put forward valuable opinions and questions so that we can make progress together.
This article is original content, and any form of reprint must indicate the source and the original author.Introduction
The advanced security mode of the ArkWeb framework provides developers with more powerful security control capabilities, which can help developers enhance the security of applications and prevent attacks on Web applications. This article will introduce the various features of the ArkWeb advanced security mode, how to enable and use these features, and discuss other security measures such as CSP policies, X-Frame-Options headers, and X-Content-Type-Options headers.
Features of the Advanced Security Mode
The ArkWeb advanced security mode offers the following security features:
- Disable WebAssembly: WebAssembly is a new Web standard that allows developers to write code in multiple programming languages (such as C/C++, Rust, etc.) and compile it into code that can run in a browser. WebAssembly has the characteristics of high performance and low overhead, but it also has security risks, such as code injection attacks.
- Disable WebGL/WebGL2: WebGL is a Web standard that allows developers to use the HTML5 canvas element to create 2D and 3D graphics. WebGL/WebGL2 has powerful graphics rendering capabilities, but it also has security risks, such as memory leak attacks and buffer overflow attacks.
- Disable PDF Viewer Preview Function: The PDF viewer preview function allows users to preview PDF files in a browser. PDF files may contain malicious code, such as malicious scripts or malicious plugins, so disabling the PDF viewer preview function can reduce security risks.
- Disable MathML: MathML is a Web standard that allows developers to use XML syntax to represent mathematical formulas. MathML may contain malicious code, such as malicious scripts or malicious plugins, so disabling MathML can reduce security risks.
- Disable Web Speech API: The Web Speech API allows developers to use voice recognition and voice synthesis functions. The Web Speech API may be misused by malicious developers, such as stealing users' voice information or controlling users' devices, so disabling the Web Speech API can reduce security risks.
- Disable RTCDataChannel: RTCDataChannel is part of the WebRTC protocol and allows Web applications to perform peer-to-peer data transmission. RTCDataChannel may be misused by malicious developers, such as stealing users' communication data or controlling users' devices, so disabling RTCDataChannel can reduce security risks.
- Disable MediaDevices.getUserMedia: MediaDevices.getUserMedia allows developers to get access to users' camera and microphone permissions. MediaDevices.getUserMedia may be misused by malicious developers, such as stealing users' video or audio information, so disabling MediaDevices.getUserMedia can reduce security risks.
- Disable Service Worker: Service Worker allows developers to create services that can run in the background, such as caching resources, pushing notifications, etc. Service Worker may be misused by malicious developers, such as stealing users' cached data or controlling users' devices, so disabling Service Worker can reduce security risks.
- Disable Non-Proxy UDP Traffic: Non-Proxy UDP Traffic may be misused by malicious developers, such as performing DDoS attacks or stealing users' network data, so disabling Non-Proxy UDP Traffic can reduce security risks.
- Disable Just-In-Time (JIT) Compilation: The Just-In-Time (JIT) Compilation ability allows browsers to compile JavaScript code into machine code to improve code execution efficiency. The JIT Compilation ability may be misused by malicious developers, such as injecting malicious code or stealing users' computing resources, so disabling the JIT Compilation ability can reduce security risks. ### How to Enable the Advanced Security Mode You can enable the advanced security mode of ArkWeb by following these steps:
- Add the following permission in the application's module.json5 file:
"requestPermissions": [
{
"name": "ohos.permission.SECURITY_SERVICE"
}
]
- Call the following API in the application's entry file (such as EntryAbility.ets) to enable the advanced security mode:
import { webview } from '@ohos.web.webview';
//...
webview.WebviewController.enableAdvancedSecurityMode({
enable: true, // Enable the advanced security mode
disableWebAssembly: true, // Disable WebAssembly
disableWebGL: true, // Disable WebGL
disablePDFViewer: true, // Disable PDF viewer
disableMathML: true, // Disable MathML
disableWebSpeechAPI: true, // Disable Web speech api
disableRTCDataChannel: true, // Disable RTCDataChannel
disableMediaDevicesGetUserMedia: true, // Disable MediaDevices.getUserMedia
disableServiceWorker: true, // Disable service worker
disableNonProxyUDP: true, // Disable non-proxy UDP traffic
disableJITCompilation: true // Disable Just-In-Time (JIT) Compilation
});
Other Security Measures
In addition to the advanced security mode, you can also take the following measures to enhance the security of your application:
- Content Security Policy (CSP): CSP is a security mechanism that allows developers to specify which resources can be loaded by a Web application and which resources cannot be loaded. CSP can effectively prevent security vulnerabilities such as cross-site scripting attacks (XSS).
- X-Frame-Options Header: The X-Frame-Options Header can prevent clickjacking attacks. This header can specify which frames can display the content of a Web application and which frames cannot.
- X-Content-Type-Options Header: The X-Content-Type-Options Header can prevent MIME type confusion attacks. This header can specify the content type of a Web application and how the browser interprets the content type. ### Example Code The following example code shows how to use the ArkWeb API to enable the advanced security mode and disable specific high-risk features. It also shows how to configure the CSP policy and how to set the X-Frame-Options and X-Content-Type-Options headers:
import { webview } from '@ohos.web.webview';
import { abilityAccessCtrl } from '@ohos.ability';
//...
// Enable the advanced security mode and disable specific high-risk features
webview.WebviewController.enableAdvancedSecurityMode({
enable: true, // Enable the advanced security mode
disableWebAssembly: true, // Disable WebAssembly
disableWebGL: true, // Disable WebGL
//... Other high-risk features to disable
});
// Configure the CSP policy
webview.WebviewController.setCSP({
"default-src": "'self'", // Allow loading of same-origin resources
"script-src": "'self' https://trusteddomain.com", // Allow loading of same-origin resources and scripts from a specific domain
"style-src": "'self' https://trusteddomain.com", // Allow loading of same-origin resources and styles from a specific domain
//... Other CSP rules to configure
});
// Set the X-Frame-Options header
webview.WebviewController.setHttpHeader({
"key": "X-Frame-Options",
"value": "DENY" // Prohibit display in frames
});
// Set the X-Content-Type-Options header
webview.WebviewController.setHttpHeader({
"key": "X-Content-Type-Options",
"value": "nosniff" // Prohibit the browser from attempting to guess the content type
});
Summary
The advanced security mode of the ArkWeb framework provides developers with powerful security control capabilities, which can help developers enhance the security of applications and prevent attacks on Web applications. By understanding the various features of the advanced security mode and taking other security measures such as CSP policies, X-Frame-Options headers, and X-Content-Type-Options headers, you can develop more secure and reliable Web applications and protect users' privacy and data security.
Top comments (0)