Add hooks in CordovaPlugin and PluginManager for whitelist plugins

This adds three hooks to CordovaPlugin objects. In each case, a null value can be returned to indicate "I don't care". This null value is the default. public Boolean shouldAllowRequest(String url) public Boolean shouldAllowNavigation(String url) public Boolean shouldOpenExternalUrl(String url)
2014-10-22 15:52:09 -04:00 · 2014-10-22 15:52:09 -04:00 · 7533996fac
commit 7533996fac
parent 1721571012
2 changed files with 158 additions and 6 deletions
--- a/framework/src/org/apache/cordova/CordovaPlugin.java
+++ b/framework/src/org/apache/cordova/CordovaPlugin.java
@ -162,19 +162,67 @@ public class CordovaPlugin {
     * Called when an activity you launched exits, giving you the requestCode you started it with,
     * the resultCode it returned, and any additional data from it.
     *
-     * @param requestCode		The request code originally supplied to startActivityForResult(),
-     * 							allowing you to identify who this result came from.
-     * @param resultCode		The integer result code returned by the child activity through its setResult().
-     * @param intent				An Intent, which can return result data to the caller (various data can be attached to Intent "extras").
+     * @param requestCode   The request code originally supplied to startActivityForResult(),
+     *                      allowing you to identify who this result came from.
+     * @param resultCode    The integer result code returned by the child activity through its setResult().
+     * @param intent        An Intent, which can return result data to the caller (various data can be
+     *                      attached to Intent "extras").
     */
    public void onActivityResult(int requestCode, int resultCode, Intent intent) {
    }

+    /**
+     * Hook for blocking the loading of external resources.
+     *
+     * This will be called when the WebView's shouldInterceptRequest wants to
+     * know whether to open a connection to an external resource. Return false
+     * to block the request: if any plugin returns false, Cordova will block
+     * the request. If all plugins return null, the default policy will be
+     * enforced. If at least one plugin returns true, and no plugins return
+     * false, then the request will proceed.
+     *
+     * Note that this only affects resource requests which are routed through
+     * WebViewClient.shouldInterceptRequest, such as XMLHttpRequest requests and
+     * img tag loads. WebSockets and media requests (such as <video> and <audio>
+     * tags) are not affected by this method. Use CSP headers to control access
+     * to such resources.
+     */
+    public Boolean shouldAllowRequest(String url) {
+        return null;
+    }
+
+    /**
+     * Hook for blocking navigation by the Cordova WebView.
+     *
+     * This will be called when the WebView's needs to know whether to navigate
+     * to a new page. Return false to block the navigation: if any plugin
+     * returns false, Cordova will block the navigation. If all plugins return
+     * null, the default policy will be enforced. It at least one plugin returns
+     * true, and no plugins return false, then the navigation will proceed.
+     */
+    public Boolean shouldAllowNavigation(String url) {
+        return null;
+    }
+
+    /**
+     * Hook for blocking the launching of Intents by the Cordova application.
+     *
+     * This will be called when the WebView will not navigate to a page, but
+     * could launch an intent to handle the URL. Return false to block this: if
+     * any plugin returns false, Cordova will block the navigation. If all
+     * plugins return null, the default policy will be enforced. If at least one
+     * plugin returns true, and no plugins return false, then the URL will be
+     * opened.
+     */
+    public Boolean shouldOpenExternalUrl(String url) {
+        return null;
+    }
+
    /**
     * By specifying a <url-filter> in config.xml you can map a URL (using startsWith atm) to this method.
     *
-     * @param url				The URL that is trying to be loaded in the Cordova webview.
-     * @return					Return true to prevent the URL from loading. Default is false.
+     * @param url           The URL that is trying to be loaded in the Cordova webview.
+     * @return              Return true to prevent the URL from loading. Default is false.
     */
    public boolean onOverrideUrlLoading(String url) {
        return false;
--- a/framework/src/org/apache/cordova/PluginManager.java
+++ b/framework/src/org/apache/cordova/PluginManager.java
@ -297,6 +297,110 @@ public class PluginManager {
        }
    }

+    /**
+     * Called when the webview is going to request an external resource.
+     *
+     * This delegates to the installed plugins, which must all return true for
+     * this method to return true.
+     *
+     * @param url       The URL that is being requested.
+     * @return          Tri-State:
+     *                    null: All plugins returned null (the default). This
+     *                          indicates that the default policy should be
+     *                          followed.
+     *                    true: All plugins returned true (allow the resource
+     *                          to load)
+     *                    false: At least one plugin returned false (block the
+     *                           resource)
+     */
+    public Boolean shouldAllowRequest(String url) {
+        Boolean anyResponded = null;
+        for (PluginEntry entry : this.entryMap.values()) {
+            CordovaPlugin plugin = pluginMap.get(entry.service);
+            if (plugin != null) {
+                Boolean result = plugin.shouldAllowRequest(url);
+                if (result != null) {
+                    anyResponded = true;
+                    if (!result) {
+                        return false;
+                    }
+                }
+            }
+        }
+        // This will be true if all plugins allow the request, or null if no plugins override the method
+        return anyResponded;
+    }
+
+    /**
+     * Called when the webview is going to change the URL of the loaded content.
+     *
+     * This delegates to the installed plugins, which must all return true for
+     * this method to return true. A true result will allow the new page to load;
+     * a false result will prevent the page from loading.
+     *
+     * @param url       The URL that is being requested.
+     * @return          Tri-State:
+     *                    null: All plugins returned null (the default). This
+     *                          indicates that the default policy should be
+     *                          followed.
+     *                    true: All plugins returned true (allow the navigation)
+     *                    false: At least one plugin returned false (block the
+     *                           navigation)
+     */
+    public Boolean shouldAllowNavigation(String url) {
+        Boolean anyResponded = null;
+        for (PluginEntry entry : this.entryMap.values()) {
+            CordovaPlugin plugin = pluginMap.get(entry.service);
+            if (plugin != null) {
+                Boolean result = plugin.shouldAllowNavigation(url);
+                if (result != null) {
+                    anyResponded = true;
+                    if (!result) {
+                        return false;
+                    }
+                }
+            }
+        }
+        // This will be true if all plugins allow the request, or null if no plugins override the method
+        return anyResponded;
+    }
+
+    /**
+     * Called when the webview is going not going to navigate, but may launch
+     * an Intent for an URL.
+     *
+     * This delegates to the installed plugins, which must all return true for
+     * this method to return true. A true result will allow the URL to launch;
+     * a false result will prevent the URL from loading.
+     *
+     * @param url       The URL that is being requested.
+     * @return          Tri-State:
+     *                    null: All plugins returned null (the default). This
+     *                          indicates that the default policy should be
+     *                          followed.
+     *                    true: All plugins returned true (allow the URL to
+     *                          launch an intent)
+     *                    false: At least one plugin returned false (block the
+     *                           intent)
+     */
+    public Boolean shouldOpenExternalUrl(String url) {
+        Boolean anyResponded = null;
+        for (PluginEntry entry : this.entryMap.values()) {
+            CordovaPlugin plugin = pluginMap.get(entry.service);
+            if (plugin != null) {
+                Boolean result = plugin.shouldOpenExternalUrl(url);
+                if (result != null) {
+                    anyResponded = true;
+                    if (!result) {
+                        return false;
+                    }
+                }
+            }
+        }
+        // This will be true if all plugins allow the request, or null if no plugins override the method
+        return anyResponded;
+    }
+
    /**
     * Called when the URL of the webview changes.
     *