背景与价值设备接口权限敏感,需严格治理来源与触发方式,避免越权或钓鱼行为。统一规范来源白名单:仅允许受控域使用设备接口。用户手势:仅在点击等用户手势触发时调用。权限提示:统一提示与撤销入口。核心实现来源与用户手势校验const allowOrigins = new Set(['https://app.example.com'])
function originAllowed(): boolean { try { const u = new URL(document.location.href); return allowOrigins.has(u.origin) } catch { return false } }
async function connectUsb(button: HTMLButtonElement): Promise<boolean> {
if (!originAllowed()) return false
let ok = false
button.addEventListener('click', async () => {
try {
const d = await (navigator as any).usb.requestDevice({ filters: [] })
ok = !!d
} catch { ok = false }
}, { once: true })
button.click()
return ok
}
async function connectBle(button: HTMLButtonElement): Promise<boolean> {
if (!originAllowed()) return false
let ok = false
button.addEventListener('click', async () => {
try {
const d = await (navigator as any).bluetooth.requestDevice({ acceptAllDevices: false, filters: [] })
ok = !!d
} catch { ok = false }
}, { once: true })
button.click()
return ok
}
落地建议在受控来源下并以用户手势触发设备权限,提示用户与提供撤销入口。验证清单是否仅在受控来源与用户手势触发;权限提示与撤销是否可用。
发表评论 取消回复