android-v10.1.1 Updated version and RELEASENOTES.md for release 10.1.1

RELEASENOTES.md

@@ -20,6 +20,14 @@
 -->
 ## Release Notes for Cordova (Android)
 
+### 10.1.1 (Sep 13, 2021)
+
+**Fixes:**
+
+* [GH-1349](https://github.com/apache/cordova-android/pull/1349) fix(`PluginManager`): `AllowNavigation` default policy to handle scheme & hostname
+* [GH-1342](https://github.com/apache/cordova-android/pull/1342) fix(`AllowListPlugin`): Safely handle default allow navigation policy in allow request
+* [GH-1332](https://github.com/apache/cordova-android/pull/1332) fix(`PluginManager`): `AllowBridgeAccess` default policy to handle scheme & hostname
+
 ### 10.1.0 (Aug 13, 2021)
 
 **Features:**

framework/src/org/apache/cordova/AllowListPlugin.java

@@ -82,11 +82,6 @@ public class AllowListPlugin extends CordovaPlugin {
             if (strNode.equals("content")) {
                 String startPage = xml.getAttributeValue(null, "src");
                 allowedNavigations.addAllowListEntry(startPage, false);
-
-                // Allow origin for WebViewAssetLoader
-                if (!this.prefs.getBoolean("AndroidInsecureFileModeEnabled", false)) {
-                    allowedNavigations.addAllowListEntry("https://" + this.prefs.getString("hostname", "localhost"), false);
-                }
             } else if (strNode.equals("allow-navigation")) {
                 String origin = xml.getAttributeValue(null, "href");
                 if ("*".equals(origin)) {
@@ -127,7 +122,7 @@ public class AllowListPlugin extends CordovaPlugin {
 
     @Override
     public Boolean shouldAllowRequest(String url) {
-        return (this.shouldAllowNavigation(url) || this.allowedRequests.isUrlAllowListed(url))
+        return (Boolean.TRUE.equals(this.shouldAllowNavigation(url)) || this.allowedRequests.isUrlAllowListed(url))
             ? true
             : null; // default policy
     }

framework/src/org/apache/cordova/CordovaWebView.java

@@ -31,7 +31,7 @@ import android.webkit.WebChromeClient.CustomViewCallback;
  * are not expected to implement it.
  */
 public interface CordovaWebView {
-    public static final String CORDOVA_VERSION = "10.1.0";
+    public static final String CORDOVA_VERSION = "10.1.1";
 
     void init(CordovaInterface cordova, List<PluginEntry> pluginEntries, CordovaPreferences preferences);
 

framework/src/org/apache/cordova/PluginManager.java

@@ -41,6 +41,12 @@ import android.os.Build;
  */
 public class PluginManager {
     private static String TAG = "PluginManager";
+
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String SCHEME_HTTPS = "https";
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String DEFAULT_HOSTNAME = "localhost";
+
     private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16;
 
     // List of service entries
@@ -366,6 +372,24 @@ public class PluginManager {
         }
     }
 
+    /**
+     * @todo should we move this somewhere public and accessible by all plugins?
+     * For now, it is placed where it is used and kept private so we can decide later and move without causing a breaking change.
+     * An ideal location might be in the "ConfigXmlParser" at the time it generates the "launchUrl".
+     *
+     * @todo should we be restrictive on the "file://" return? e.g. "file:///android_asset/www/"
+     * Would be considered as a breaking change if we apply a more granular check.
+     */
+    private String getLaunchUrlPrefix() {
+        if (!app.getPreferences().getBoolean("AndroidInsecureFileModeEnabled", false)) {
+            String scheme = app.getPreferences().getString("scheme", SCHEME_HTTPS).toLowerCase();
+            String hostname = app.getPreferences().getString("hostname", DEFAULT_HOSTNAME);
+            return scheme + "://" + hostname + '/';
+        }
+
+        return "file://";
+    }
+
     /**
      * Called when the webview is going to request an external resource.
      *
@@ -431,7 +455,7 @@ public class PluginManager {
         }
 
         // Default policy:
-        return url.startsWith("file://") || url.startsWith("about:blank");
+        return url.startsWith(getLaunchUrlPrefix()) || url.startsWith("about:blank");
     }
 
 
@@ -452,7 +476,7 @@ public class PluginManager {
         }
 
         // Default policy:
-        return url.startsWith("file://");
+        return url.startsWith(getLaunchUrlPrefix());
     }
 
     /**

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "cordova-android",
-  "version": "10.1.0",
+  "version": "10.1.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cordova-android",
-  "version": "10.1.0",
+  "version": "10.1.1",
   "description": "cordova-android release",
   "main": "lib/Api.js",
   "repository": "github:apache/cordova-android",