github/cordova-android
github/cordova-android
3
0
Fork 1
mirror of https://github.com/apache/cordova-android.git synced 2025-01-31 17:32:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(PluginManager): AllowBridgeAccess default policy to handle scheme & hostname (#1332)

Browse Source
This commit is contained in:
エリス 2021-09-07 19:52:23 +09:00 committed by GitHub
parent dc4e065f61
commit 7a67e00b9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
framework/src/org/apache/cordova/AllowListPlugin.java
View File

@ -82,11 +82,6 @@ public class AllowListPlugin extends CordovaPlugin {
if (strNode.equals("content")) { if (strNode.equals("content")) {
String startPage = xml.getAttributeValue(null, "src"); String startPage = xml.getAttributeValue(null, "src");
allowedNavigations.addAllowListEntry(startPage, false); allowedNavigations.addAllowListEntry(startPage, false);
// Allow origin for WebViewAssetLoader
if (!this.prefs.getBoolean("AndroidInsecureFileModeEnabled", false)) {
allowedNavigations.addAllowListEntry("https://" + this.prefs.getString("hostname", "localhost"), false);
}
} else if (strNode.equals("allow-navigation")) { } else if (strNode.equals("allow-navigation")) {
String origin = xml.getAttributeValue(null, "href"); String origin = xml.getAttributeValue(null, "href");
if ("*".equals(origin)) { if ("*".equals(origin)) {

26
framework/src/org/apache/cordova/PluginManager.java
View File

@ -41,6 +41,12 @@ import android.os.Build;
*/ */
public class PluginManager { public class PluginManager {
private static String TAG = "PluginManager"; private static String TAG = "PluginManager";
// @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
private static String SCHEME_HTTPS = "https";
// @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
private static String DEFAULT_HOSTNAME = "localhost";
private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16; private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16;
// List of service entries // List of service entries
@ -366,6 +372,24 @@ public class PluginManager {
} }
} }
/**
* @todo should we move this somewhere public and accessible by all plugins?
* For now, it is placed where it is used and kept private so we can decide later and move without causing a breaking change.
* An ideal location might be in the "ConfigXmlParser" at the time it generates the "launchUrl".
*
* @todo should we be restrictive on the "file://" return? e.g. "file:///android_asset/www/"
* Would be considered as a breaking change if we apply a more granular check.
*/
private String getLaunchUrlPrefix() {
if (!app.getPreferences().getBoolean("AndroidInsecureFileModeEnabled", false)) {
String scheme = app.getPreferences().getString("scheme", SCHEME_HTTPS).toLowerCase();
String hostname = app.getPreferences().getString("hostname", DEFAULT_HOSTNAME);
return scheme + "://" + hostname + '/';
}
return "file://";
}
/** /**
* Called when the webview is going to request an external resource. * Called when the webview is going to request an external resource.
* *
@ -452,7 +476,7 @@ public class PluginManager {
} }
// Default policy: // Default policy:
return url.startsWith("file://"); return url.startsWith(getLaunchUrlPrefix());
} }
/** /**