CB-7267 update RELEASENOTES for 3.5.1

(cherry picked from commit eb8cf56e8e)

RELEASENOTES.md

@@ -20,6 +20,51 @@
 -->
 ## Release Notes for Cordova (Android) ##
 
+### 3.5.1 (August 2014) ###
+
+This was a security update to address CVE-2014-3500, CVE-2014-3501,
+and CVE-2014-3502. For more information, see
+http://cordova.apache.org/announcements/2014/08/04/android-351.html
+
+* Filter out non-launchable intents
+* Handle unsupported protocol errors in webview better
+* Update the errorurl to no longer use intents
+* Refactoring the URI handling on Cordova, removing dead code
+
+### 3.5.0 (May 2014) ###
+
+* OkHttp has broken headers. Updating for ASF compliance.
+* Revert accidentally removed lines from NOTICE
+* CB-6552: added top level package.json
+* CB-6491 add CONTRIBUTING.md
+* CB-6543 Fix cordova/run failure when no custom_rules.xml available
+* defaults.xml: Add AndroidLaunchMode preference
+* Add JavaDoc for CordovaResourceApi
+* CB-6388: Handle binary data correctly in LOAD_URL bridge
+* Fix CB-6048: Set launchMode=singleTop so tapping app icon does not always restart app
+* Remove incorrect usage of AlertDialog.Builder.create
+* Catch uncaught exceptions in from plugins and turn them into error responses.
+* Add NOTICE file
+* CB-6047 Fix online sometimes getting in a bad state on page transitions.
+* Add another convenience overload for CordovaResourceApi.copyResource
+* Update framework's .classpath to what Eclipse wants it to be.
+* README.md: `android update` to `android-19`.
+* Fix NPE when POLLING bridge mode is used.
+* Updating NOTICE to include Square for OkHttp
+* CB-5398 Apply KitKat content URI fix to all content URIs
+* CB-5398 Work-around for KitKat content: URLs not rendering in <img> tags
+* CB-5908: add splascreen images to template
+* CB-5395: Make scheme and host (but not path) case-insensitive in whitelist
+* Ignore multiple onPageFinished() callbacks & onReceivedError due to stopLoading()
+* Removing addJavascriptInterface support from all Android versions lower than 4.2 due to security vu
+* CB-4984 Don't create on CordovaActivity name
+* CB-5917 Add a loadUrlIntoView overload that doesn't recreate plugins.
+* Use thread pool for load timeout.
+* CB-5715 For CLI, hide assets/www and res/xml/config.xml by default
+* CB-5793 ant builds: Rename AndroidManifest during -post-build to avoid Eclipse detecting ant-build/
+* CB-5889 Make update script find project name instead of using "null" for CordovaLib
+* CB-5889 Add a message in the update script about needing to import CordovaLib when using an IDE.
+
 ### 3.4.0 (Feb 2014) ###
 
 43 commits from 10 authors. Highlights include:

VERSION

@@ -1 +1 @@
-3.5.0-dev
+3.5.1

bin/templates/cordova/version

@@ -20,6 +20,6 @@
 */
 
 // Coho updates this line:
-var VERSION = "3.5.0-dev";
+var VERSION = "3.5.1";
 
 console.log(VERSION);

framework/assets/www/cordova.js

@@ -1,5 +1,5 @@
 // Platform: android
-// 3.5.0-dev-81f9a00
+// 3.5.1
 /*
  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
@@ -19,7 +19,7 @@
  under the License.
 */
 ;(function() {
-var CORDOVA_JS_BUILD_LABEL = '3.5.0-dev-81f9a00';
+var CORDOVA_JS_BUILD_LABEL = '3.5.1';
 // file: src/scripts/require.js
 
 /*jshint -W079 */
@@ -825,6 +825,7 @@ channel.createSticky('onNativeReady');
 channel.createSticky('onCordovaReady');
 
 // Event to indicate that all automatically loaded JS plugins are loaded and ready.
+// FIXME remove this
 channel.createSticky('onPluginsReady');
 
 // Event to indicate that Cordova is ready
@@ -1245,6 +1246,111 @@ channel.join(function() {
 }, platformInitChannelsArray);
 
 
+});
+
+// file: src/common/init_b.js
+define("cordova/init_b", function(require, exports, module) {
+
+var channel = require('cordova/channel');
+var cordova = require('cordova');
+var platform = require('cordova/platform');
+
+var platformInitChannelsArray = [channel.onDOMContentLoaded, channel.onNativeReady];
+
+// setting exec
+cordova.exec = require('cordova/exec');
+
+function logUnfiredChannels(arr) {
+    for (var i = 0; i < arr.length; ++i) {
+        if (arr[i].state != 2) {
+            console.log('Channel not fired: ' + arr[i].type);
+        }
+    }
+}
+
+window.setTimeout(function() {
+    if (channel.onDeviceReady.state != 2) {
+        console.log('deviceready has not fired after 5 seconds.');
+        logUnfiredChannels(platformInitChannelsArray);
+        logUnfiredChannels(channel.deviceReadyChannelsArray);
+    }
+}, 5000);
+
+// Replace navigator before any modules are required(), to ensure it happens as soon as possible.
+// We replace it so that properties that can't be clobbered can instead be overridden.
+function replaceNavigator(origNavigator) {
+    var CordovaNavigator = function() {};
+    CordovaNavigator.prototype = origNavigator;
+    var newNavigator = new CordovaNavigator();
+    // This work-around really only applies to new APIs that are newer than Function.bind.
+    // Without it, APIs such as getGamepads() break.
+    if (CordovaNavigator.bind) {
+        for (var key in origNavigator) {
+            if (typeof origNavigator[key] == 'function') {
+                newNavigator[key] = origNavigator[key].bind(origNavigator);
+            }
+        }
+    }
+    return newNavigator;
+}
+if (window.navigator) {
+    window.navigator = replaceNavigator(window.navigator);
+}
+
+if (!window.console) {
+    window.console = {
+        log: function(){}
+    };
+}
+if (!window.console.warn) {
+    window.console.warn = function(msg) {
+        this.log("warn: " + msg);
+    };
+}
+
+// Register pause, resume and deviceready channels as events on document.
+channel.onPause = cordova.addDocumentEventHandler('pause');
+channel.onResume = cordova.addDocumentEventHandler('resume');
+channel.onDeviceReady = cordova.addStickyDocumentEventHandler('deviceready');
+
+// Listen for DOMContentLoaded and notify our channel subscribers.
+if (document.readyState == 'complete' || document.readyState == 'interactive') {
+    channel.onDOMContentLoaded.fire();
+} else {
+    document.addEventListener('DOMContentLoaded', function() {
+        channel.onDOMContentLoaded.fire();
+    }, false);
+}
+
+// _nativeReady is global variable that the native side can set
+// to signify that the native code is ready. It is a global since
+// it may be called before any cordova JS is ready.
+if (window._nativeReady) {
+    channel.onNativeReady.fire();
+}
+
+// Call the platform-specific initialization.
+platform.bootstrap && platform.bootstrap();
+
+/**
+ * Create all cordova objects once native side is ready.
+ */
+channel.join(function() {
+    
+    platform.initialize && platform.initialize();
+
+    // Fire event to notify that all objects are created
+    channel.onCordovaReady.fire();
+
+    // Fire onDeviceReady event once page has fully loaded, all
+    // constructors have run and cordova info has been received from native
+    // side.
+    channel.join(function() {
+        require('cordova').fireDocumentEvent('deviceready');
+    }, channel.deviceReadyChannelsArray);
+
+}, platformInitChannelsArray);
+
 });
 
 // file: src/common/modulemapper.js

framework/src/com/squareup/okhttp/internal/spdy/ErrorCode.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright (C) 2011 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.squareup.okhttp.internal.spdy;
 
 public enum ErrorCode {

framework/src/com/squareup/okhttp/internal/spdy/Hpack.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright (C) 2011 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.squareup.okhttp.internal.spdy;
 
 import java.io.DataInputStream;

framework/src/com/squareup/okhttp/internal/spdy/NameValueBlockReader.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright (C) 2011 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package com.squareup.okhttp.internal.spdy;
 
 import com.squareup.okhttp.internal.Util;

framework/src/org/apache/cordova/Config.java

@@ -20,21 +20,16 @@
 package org.apache.cordova;
 
 import java.io.IOException;
-
 import java.util.Locale;
-
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.apache.cordova.LOG;
-
 import org.xmlpull.v1.XmlPullParserException;
 
 import android.app.Activity;
-
 import android.content.res.XmlResourceParser;
 import android.graphics.Color;
-
 import android.util.Log;
 
 public class Config {
@@ -44,6 +39,8 @@ public class Config {
     private Whitelist whitelist = new Whitelist();
     private String startUrl;
 
+    private static String errorUrl;
+
     private static Config self = null;
 
     public static void init(Activity action) {
@@ -156,6 +153,10 @@ public class Config {
                         boolean value = xml.getAttributeValue(null, "value").equals("true");
                         action.getIntent().putExtra(name, value);
                     }
+                    else if(name.equalsIgnoreCase("errorurl"))
+                    {
+                        errorUrl = xml.getAttributeValue(null, "value");
+                    }
                     else
                     {
                         String value = xml.getAttributeValue(null, "value");
@@ -230,4 +231,8 @@ public class Config {
         }
         return self.startUrl;
     }
+
+    public static String getErrorUrl() {
+        return errorUrl;
+    }
 }

framework/src/org/apache/cordova/CordovaActivity.java

@@ -715,7 +715,7 @@ public class CordovaActivity extends Activity implements CordovaInterface {
         
 
         //Code to test CB-3064
-        String errorUrl = this.getStringProperty("ErrorUrl", null);
+        String errorUrl = Config.getErrorUrl();
         LOG.d(TAG, "CB-3064: The errorUrl is " + errorUrl);
           
         if (this.activityState == ACTIVITY_STARTING) {

framework/src/org/apache/cordova/CordovaUriHelper.java

@@ -0,0 +1,115 @@
+/*
+       Licensed to the Apache Software Foundation (ASF) under one
+       or more contributor license agreements.  See the NOTICE file
+       distributed with this work for additional information
+       regarding copyright ownership.  The ASF licenses this file
+       to you under the Apache License, Version 2.0 (the
+       "License"); you may not use this file except in compliance
+       with the License.  You may obtain a copy of the License at
+
+         http://www.apache.org/licenses/LICENSE-2.0
+
+       Unless required by applicable law or agreed to in writing,
+       software distributed under the License is distributed on an
+       "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+       KIND, either express or implied.  See the License for the
+       specific language governing permissions and limitations
+       under the License.
+*/
+
+package org.apache.cordova;
+
+import org.json.JSONException;
+
+import android.content.Intent;
+import android.net.Uri;
+import android.util.Log;
+import android.webkit.WebView;
+
+public class CordovaUriHelper {
+    
+    private static final String TAG = "CordovaUriHelper";
+    private static final String CORDOVA_EXEC_URL_PREFIX = "http://cdv_exec/";
+    
+    private CordovaWebView appView;
+    private CordovaInterface cordova;
+    
+    CordovaUriHelper(CordovaInterface cdv, CordovaWebView webView)
+    {
+        appView = webView;
+        cordova = cdv;
+    }
+    
+    
+    // Parses commands sent by setting the webView's URL to:
+    // cdvbrg:service/action/callbackId#jsonArgs
+    void handleExecUrl(String url) {
+        int idx1 = CORDOVA_EXEC_URL_PREFIX.length();
+        int idx2 = url.indexOf('#', idx1 + 1);
+        int idx3 = url.indexOf('#', idx2 + 1);
+        int idx4 = url.indexOf('#', idx3 + 1);
+        if (idx1 == -1 || idx2 == -1 || idx3 == -1 || idx4 == -1) {
+            Log.e(TAG, "Could not decode URL command: " + url);
+            return;
+        }
+        String service    = url.substring(idx1, idx2);
+        String action     = url.substring(idx2 + 1, idx3);
+        String callbackId = url.substring(idx3 + 1, idx4);
+        String jsonArgs   = url.substring(idx4 + 1);
+        appView.pluginManager.exec(service, action, callbackId, jsonArgs);
+        //There is no reason to not send this directly to the pluginManager
+    }
+    
+
+    /**
+     * Give the host application a chance to take over the control when a new url
+     * is about to be loaded in the current WebView.
+     *
+     * @param view          The WebView that is initiating the callback.
+     * @param url           The url to be loaded.
+     * @return              true to override, false for default behavior
+     */
+    public boolean shouldOverrideUrlLoading(WebView view, String url) {
+        // The WebView should support http and https when going on the Internet
+        if(url.startsWith("http:") || url.startsWith("https:"))
+        {
+            // Check if it's an exec() bridge command message.
+            if (NativeToJsMessageQueue.ENABLE_LOCATION_CHANGE_EXEC_MODE && url.startsWith(CORDOVA_EXEC_URL_PREFIX)) {
+                handleExecUrl(url);
+            }
+            // We only need to whitelist sites on the Internet! 
+            else if(Config.isUrlWhiteListed(url))
+            {
+                return false;
+            }
+        }
+        // Give plugins the chance to handle the url
+        else if (this.appView.pluginManager.onOverrideUrlLoading(url)) {
+            
+        }
+        else if(url.startsWith("file://") | url.startsWith("data:"))
+        {
+            //This directory on WebKit/Blink based webviews contains SQLite databases!
+            //DON'T CHANGE THIS UNLESS YOU KNOW WHAT YOU'RE DOING!
+            return url.contains("app_webview");
+        }
+        else
+        {
+            try {
+                Intent intent = new Intent(Intent.ACTION_VIEW);
+                intent.setData(Uri.parse(url));
+                intent.addCategory(Intent.CATEGORY_BROWSABLE);
+                intent.setComponent(null);
+                intent.setSelector(null);
+                this.cordova.getActivity().startActivity(intent);
+            } catch (android.content.ActivityNotFoundException e) {
+                LOG.e(TAG, "Error loading url " + url, e);
+            }
+        }
+        //Default behaviour should be to load the default intent, let's see what happens! 
+        return true;
+    }
+
+    
+
+}

framework/src/org/apache/cordova/CordovaWebView.java

@@ -68,7 +68,7 @@ import android.widget.FrameLayout;
 public class CordovaWebView extends WebView {
 
     public static final String TAG = "CordovaWebView";
-    public static final String CORDOVA_VERSION = "3.5.0-dev";
+    public static final String CORDOVA_VERSION = "3.5.1";
 
     private ArrayList<Integer> keyDownCodes = new ArrayList<Integer>();
     private ArrayList<Integer> keyUpCodes = new ArrayList<Integer>();
@@ -406,17 +406,7 @@ public class CordovaWebView extends WebView {
             this.loadUrlNow(url);
         }
         else {
-
-            String initUrl = this.getProperty("url", null);
-
-            // If first page of app, then set URL to load to be the one passed in
-            if (initUrl == null) {
-                this.loadUrlIntoView(url);
-            }
-            // Otherwise use the URL specified in the activity's extras bundle
-            else {
-                this.loadUrlIntoView(initUrl);
-            }
+            this.loadUrlIntoView(url);
         }
     }
 
@@ -427,16 +417,15 @@ public class CordovaWebView extends WebView {
      * @param url
      * @param time              The number of ms to wait before loading webview
      */
+    @Deprecated
     public void loadUrl(final String url, int time) {
-        String initUrl = this.getProperty("url", null);
-
-        // If first page of app, then set URL to load to be the one passed in
-        if (initUrl == null) {
-            this.loadUrlIntoView(url, time);
+        if(url == null)
+        {
+            this.loadUrlIntoView(Config.getStartUrl());
         }
-        // Otherwise use the URL specified in the activity's extras bundle
-        else {
-            this.loadUrlIntoView(initUrl);
+        else
+        {
+            this.loadUrlIntoView(url);
         }
     }
 

framework/src/org/apache/cordova/CordovaWebViewClient.java

@@ -61,6 +61,7 @@ public class CordovaWebViewClient extends WebViewClient {
 	private static final String CORDOVA_EXEC_URL_PREFIX = "http://cdv_exec/";
     CordovaInterface cordova;
     CordovaWebView appView;
+    CordovaUriHelper helper;
     private boolean doClearHistory = false;
     boolean isCurrentlyLoading;
 
@@ -85,6 +86,7 @@ public class CordovaWebViewClient extends WebViewClient {
     public CordovaWebViewClient(CordovaInterface cordova, CordovaWebView view) {
         this.cordova = cordova;
         this.appView = view;
+        helper = new CordovaUriHelper(cordova, view);
     }
 
     /**
@@ -94,6 +96,7 @@ public class CordovaWebViewClient extends WebViewClient {
      */
     public void setWebView(CordovaWebView view) {
         this.appView = view;
+        helper = new CordovaUriHelper(cordova, view);
     }
 
 
@@ -125,112 +128,7 @@ public class CordovaWebViewClient extends WebViewClient {
      */
 	@Override
     public boolean shouldOverrideUrlLoading(WebView view, String url) {
-    	// Check if it's an exec() bridge command message.
-    	if (NativeToJsMessageQueue.ENABLE_LOCATION_CHANGE_EXEC_MODE && url.startsWith(CORDOVA_EXEC_URL_PREFIX)) {
-    		handleExecUrl(url);
-    	}
-
-        // Give plugins the chance to handle the url
-    	else if ((this.appView.pluginManager != null) && this.appView.pluginManager.onOverrideUrlLoading(url)) {
-        }
-
-        // If dialing phone (tel:5551212)
-        else if (url.startsWith(WebView.SCHEME_TEL)) {
-            try {
-                Intent intent = new Intent(Intent.ACTION_DIAL);
-                intent.setData(Uri.parse(url));
-                this.cordova.getActivity().startActivity(intent);
-            } catch (android.content.ActivityNotFoundException e) {
-                LOG.e(TAG, "Error dialing " + url + ": " + e.toString());
-            }
-        }
-
-        // If displaying map (geo:0,0?q=address)
-        else if (url.startsWith("geo:")) {
-            try {
-                Intent intent = new Intent(Intent.ACTION_VIEW);
-                intent.setData(Uri.parse(url));
-                this.cordova.getActivity().startActivity(intent);
-            } catch (android.content.ActivityNotFoundException e) {
-                LOG.e(TAG, "Error showing map " + url + ": " + e.toString());
-            }
-        }
-
-        // If sending email (mailto:abc@corp.com)
-        else if (url.startsWith(WebView.SCHEME_MAILTO)) {
-            try {
-                Intent intent = new Intent(Intent.ACTION_VIEW);
-                intent.setData(Uri.parse(url));
-                this.cordova.getActivity().startActivity(intent);
-            } catch (android.content.ActivityNotFoundException e) {
-                LOG.e(TAG, "Error sending email " + url + ": " + e.toString());
-            }
-        }
-
-        // If sms:5551212?body=This is the message
-        else if (url.startsWith("sms:")) {
-            try {
-                Intent intent = new Intent(Intent.ACTION_VIEW);
-
-                // Get address
-                String address = null;
-                int parmIndex = url.indexOf('?');
-                if (parmIndex == -1) {
-                    address = url.substring(4);
-                }
-                else {
-                    address = url.substring(4, parmIndex);
-
-                    // If body, then set sms body
-                    Uri uri = Uri.parse(url);
-                    String query = uri.getQuery();
-                    if (query != null) {
-                        if (query.startsWith("body=")) {
-                            intent.putExtra("sms_body", query.substring(5));
-                        }
-                    }
-                }
-                intent.setData(Uri.parse("sms:" + address));
-                intent.putExtra("address", address);
-                intent.setType("vnd.android-dir/mms-sms");
-                this.cordova.getActivity().startActivity(intent);
-            } catch (android.content.ActivityNotFoundException e) {
-                LOG.e(TAG, "Error sending sms " + url + ":" + e.toString());
-            }
-        }
-        
-        //Android Market
-        else if(url.startsWith("market:")) {
-            try {
-                Intent intent = new Intent(Intent.ACTION_VIEW);
-                intent.setData(Uri.parse(url));
-                this.cordova.getActivity().startActivity(intent);
-            } catch (android.content.ActivityNotFoundException e) {
-                LOG.e(TAG, "Error loading Google Play Store: " + url, e);
-            }
-        }
-
-        // All else
-        else {
-
-            // If our app or file:, then load into a new Cordova webview container by starting a new instance of our activity.
-            // Our app continues to run.  When BACK is pressed, our app is redisplayed.
-            if (url.startsWith("file://") || url.startsWith("data:")  || Config.isUrlWhiteListed(url)) {
-                return false;
-            }
-
-            // If not our application, let default viewer handle
-            else {
-                try {
-                    Intent intent = new Intent(Intent.ACTION_VIEW);
-                    intent.setData(Uri.parse(url));
-                    this.cordova.getActivity().startActivity(intent);
-                } catch (android.content.ActivityNotFoundException e) {
-                    LOG.e(TAG, "Error loading url " + url, e);
-                }
-            }
-        }
-        return true;
+        return helper.shouldOverrideUrlLoading(view, url);
     }
     
     /**
@@ -361,7 +259,19 @@ public class CordovaWebViewClient extends WebViewClient {
         // Clear timeout flag
         this.appView.loadUrlTimeout++;
 
-        // Handle error
+        // If this is a "Protocol Not Supported" error, then revert to the previous
+        // page. If there was no previous page, then punt. The application's config
+        // is likely incorrect (start page set to sms: or something like that)
+        if (errorCode == WebViewClient.ERROR_UNSUPPORTED_SCHEME) {
+            if (view.canGoBack()) {
+                view.goBack();
+                return;
+            } else {
+                super.onReceivedError(view, errorCode, description, failingUrl);
+            }
+        }
+
+        // Handle other errors by passing them to the webview in JS
         JSONObject data = new JSONObject();
         try {
             data.put("errorCode", errorCode);

framework/src/org/apache/cordova/IceCreamCordovaWebViewClient.java

@@ -35,6 +35,7 @@ import android.webkit.WebView;
 public class IceCreamCordovaWebViewClient extends CordovaWebViewClient {
 
     private static final String TAG = "IceCreamCordovaWebViewClient";
+    private CordovaUriHelper helper;
 
     public IceCreamCordovaWebViewClient(CordovaInterface cordova) {
         super(cordova);
@@ -47,8 +48,9 @@ public class IceCreamCordovaWebViewClient extends CordovaWebViewClient {
     @Override
     public WebResourceResponse shouldInterceptRequest(WebView view, String url) {
         try {
-            // Check the against the white-list.
-            if ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url)) {
+            // Check the against the whitelist and lock out access to the WebView directory
+            // Changing this will cause problems for your application
+            if (isUrlHarmful(url)) {
                 LOG.w(TAG, "URL blocked by whitelist: " + url);
                 // Results in a 404.
                 return new WebResourceResponse("text/plain", "UTF-8", null);
@@ -74,6 +76,11 @@ public class IceCreamCordovaWebViewClient extends CordovaWebViewClient {
         }
     }
 
+    private boolean isUrlHarmful(String url) {
+        return ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url))
+            || url.contains("app_webview");
+    }
+
     private static boolean needsKitKatContentUrlFix(Uri uri) {
         return android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.KITKAT && "content".equals(uri.getScheme());
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cordova-android",
-  "version": "3.4.0",
+  "version": "3.5.1",
   "description": "cordova-android release",
   "main": "bin/create",
   "repository": {