From e1d0777ea08c95678e6aab82a38c91dc3a8a22bb Mon Sep 17 00:00:00 2001
From: Carl Poole <mail@carlpoole.com>
Date: Tue, 17 Nov 2020 10:32:05 -0600
Subject: [PATCH] fix(android): Add mitigation strategy for CVE-2020-6506
 (#792)

---
 src/android/InAppBrowser.java      |  3 ++
 src/android/InAppChromeClient.java | 45 ++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/src/android/InAppBrowser.java b/src/android/InAppBrowser.java
index 74b5719..d5e305c 100644
--- a/src/android/InAppBrowser.java
+++ b/src/android/InAppBrowser.java
@@ -1042,6 +1042,9 @@ public class InAppBrowser extends CordovaPlugin {
                 inAppWebView.setId(Integer.valueOf(6));
                 inAppWebView.getSettings().setLoadWithOverviewMode(true);
                 inAppWebView.getSettings().setUseWideViewPort(useWideViewPort);
+                // Multiple Windows set to true to mitigate Chromium security bug.
+                //  See: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
+                inAppWebView.getSettings().setSupportMultipleWindows(true);
                 inAppWebView.requestFocus();
                 inAppWebView.requestFocusFromTouch();
 
diff --git a/src/android/InAppChromeClient.java b/src/android/InAppChromeClient.java
index fe5dd34..f05f6a9 100644
--- a/src/android/InAppChromeClient.java
+++ b/src/android/InAppChromeClient.java
@@ -24,8 +24,12 @@ import org.apache.cordova.PluginResult;
 import org.json.JSONArray;
 import org.json.JSONException;
 
+import android.annotation.TargetApi;
+import android.os.Build;
+import android.os.Message;
 import android.webkit.JsPromptResult;
 import android.webkit.WebChromeClient;
+import android.webkit.WebResourceRequest;
 import android.webkit.WebStorage;
 import android.webkit.WebView;
 import android.webkit.WebViewClient;
@@ -135,4 +139,45 @@ public class InAppChromeClient extends WebChromeClient {
         return false;
     }
 
+    /**
+     * The InAppWebBrowser WebView is configured to MultipleWindow mode to mitigate a security
+     * bug found in Chromium prior to version 83.0.4103.106.
+     * See https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
+     *
+     * Valid Urls set to open in new window will be routed back to load in the original WebView.
+     *
+     * @param view
+     * @param isDialog
+     * @param isUserGesture
+     * @param resultMsg
+     * @return
+     */
+    @Override
+    public boolean onCreateWindow(WebView view, boolean isDialog, boolean isUserGesture, Message resultMsg) {
+        WebView inAppWebView = view;
+        final WebViewClient webViewClient =
+                new WebViewClient() {
+                    @TargetApi(Build.VERSION_CODES.LOLLIPOP)
+                    @Override
+                    public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) {
+                        inAppWebView.loadUrl(request.getUrl().toString());
+                        return true;
+                    }
+
+                    @Override
+                    public boolean shouldOverrideUrlLoading(WebView view, String url) {
+                        inAppWebView.loadUrl(url);
+                        return true;
+                    }
+                };
+
+        final WebView newWebView = new WebView(view.getContext());
+        newWebView.setWebViewClient(webViewClient);
+
+        final WebView.WebViewTransport transport = (WebView.WebViewTransport) resultMsg.obj;
+        transport.setWebView(newWebView);
+        resultMsg.sendToTarget();
+
+        return true;
+    }
 }