Android WebView阻止从https重定向到http
我有一个解决方案,我的Android WebView需要首先打开一个https网址,然后它会被重定向到一个http网址(它可能是从https网站尝试一个http POST)。这不起作用,我的Android调试日志说:
I have a solution where my Android WebView needs to first open a https url, then it will be redirected to a http url (it might be trying a http POST from the https site). This is not working, and my Android debug log says:
02-20 11:04:45.079 8538-8538 /? E / WebViewCallback:阻止的URL:[已阻止] https:// xxx / 的页面是通过HTTPS加载的,但是正在向不安全的人提交数据位于 http:// yyy 的位置:此内容也应通过HTTPS提交。
02-20 11:04:45.079 8538-8538/? E/WebViewCallback﹕ Blocked URL: [blocked] The page at 'https://xxx/' was loaded over HTTPS, but is submitting data to an insecure location at 'http://yyy': this content should also be submitted over HTTPS.
WebView中是否有允许此行为的配置选项?
Are there any configuration options in the WebView that will allow this behaviour?
更多信息:它似乎是Android SDK中的行为更改。很久以前编译的客户端没有任何投诉。
More info: it seems like a behaviour change in the Android SDK. A client compiled a long time ago does this without any complaints.
混合http /的默认WebView设置发生了变化https内容在Lollipop(API 20)。请参见 https://datatheorem.github.io/android/2014 / 12/20 / webviews-andorid-lollipop / 了解更多详情。
There was a change in default WebView settings for mixed http/https content in Lollipop (API 20). See https://datatheorem.github.io/android/2014/12/20/webviews-andorid-lollipop/ for more details.
要允许https重定向到http,您需要将混合内容模式设置为MIXED_CONTENT_ALWAYS_ALLOW
To allow https to redirect to http you need to set the mixed content mode to MIXED_CONTENT_ALWAYS_ALLOW
if (Build.VERSION.SDK_INT >= 21) {
webview.getSettings().setMixedContentMode( WebSettings.MIXED_CONTENT_ALWAYS_ALLOW );
}
请注意,从安全角度来看,设置MIXED_CONTENT_ALWAYS_ALLOW是不好的,并且正如您所注意到的那样在您的回答中,最好在两个站点上支持https。
Note that setting MIXED_CONTENT_ALWAYS_ALLOW is bad from security point of view, and as you note in your answer, it is better to support https on both sites.
但对于那些无法控制网站的人来说,这应该可行。
But for those that don't have control over the sites, this should work.