krausefx / inappbrowser.com Goto Github PK
View Code? Open in Web Editor NEWShowcasing what in-app browsers do under the hood
Home Page: https://inappbrowser.com
License: MIT License
Showcasing what in-app browsers do under the hood
Home Page: https://inappbrowser.com
License: MIT License
If app injected codes like
var originGid = document.getElementById
document.getElementById = id => {
console.log('document.getElementById', id)
return originGid(id)
}
InAppBrowser.com
will not be able to detect it unless the page calls document.getElementById('someid')
This can be solved by something like this: iwestlin@87aec98
However there is still a problem: if the injected code also uses Object.defineProperty
to overwrite properies, this won't be able to detect it...
Maybe we could use window.addEventListener('error', ...)
to catch errors and extract injection info from it,
if we set configurable: false
to Object.defineProperty
...
If the injected JS code is like the following:
alert('cookie: '+document.cookie);
This site is not able to detect it, and it will still shows green message.
Cookie stealing is concerning, in case for example you tried to log-in to a site (within in-app browser), the host-app can inject malicious JS code to steal cookies, which essentially will steal your login session.
Currently have no idea on what to do, haven't check the repo code, just informing this behavior for now.
Optional: More background on this concern.
As far as I know iOS apps can inject code to be executed via WKUserScript
as an alternative to evaluateJavascript
and InAppBrowser.com cannot detect that since the injected code might run before the code of the web pag. See example code below:
let configuration = WKWebViewConfiguration()
configuration.allowsInlineMediaPlayback = false
let interceptorScript = WKUserScript(
source: "window.fetch = () => {console.log(`fetch`)}; window.Promise = () => {console.log(`Promise`)}; window.addEventListener = () => { console.log(`addEventListener`) }",
injectionTime: .atDocumentStart,
forMainFrameOnly: false
)
configuration.userContentController.addUserScript(interceptorScript)
let webView = WKWebView(frame: .zero, configuration: configuration)
injectionTime: .atDocumentStart
here means that this code will be executed immediately after document element is created but before any other script is executed. This means that app side can override almost any primitive/built-in present in the page and do whatever they want with them (like listening for certain things and transferring information back to the app.).
See: https://developer.apple.com/documentation/webkit/wkuserscript
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.