Skip to content
Permalink
Browse files
fix(android): Add mitigation strategy for CVE-2020-6506 (#792)
  • Loading branch information
carlpoole committed Nov 17, 2020
1 parent 2e6d637 commit e1d0777ea08c95678e6aab82a38c91dc3a8a22bb
Showing 2 changed files with 48 additions and 0 deletions.
@@ -1042,6 +1042,9 @@ public void postMessage(String data) {
inAppWebView.setId(Integer.valueOf(6));
inAppWebView.getSettings().setLoadWithOverviewMode(true);
inAppWebView.getSettings().setUseWideViewPort(useWideViewPort);
// Multiple Windows set to true to mitigate Chromium security bug.
// See: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
inAppWebView.getSettings().setSupportMultipleWindows(true);
inAppWebView.requestFocus();
inAppWebView.requestFocusFromTouch();

@@ -24,8 +24,12 @@ Licensed to the Apache Software Foundation (ASF) under one
import org.json.JSONArray;
import org.json.JSONException;

import android.annotation.TargetApi;
import android.os.Build;
import android.os.Message;
import android.webkit.JsPromptResult;
import android.webkit.WebChromeClient;
import android.webkit.WebResourceRequest;
import android.webkit.WebStorage;
import android.webkit.WebView;
import android.webkit.WebViewClient;
@@ -135,4 +139,45 @@ public boolean onJsPrompt(WebView view, String url, String message, String defau
return false;
}

/**
* The InAppWebBrowser WebView is configured to MultipleWindow mode to mitigate a security
* bug found in Chromium prior to version 83.0.4103.106.
* See https://bugs.chromium.org/p/chromium/issues/detail?id=1083819
*
* Valid Urls set to open in new window will be routed back to load in the original WebView.
*
* @param view
* @param isDialog
* @param isUserGesture
* @param resultMsg
* @return
*/
@Override
public boolean onCreateWindow(WebView view, boolean isDialog, boolean isUserGesture, Message resultMsg) {
WebView inAppWebView = view;
final WebViewClient webViewClient =
new WebViewClient() {
@TargetApi(Build.VERSION_CODES.LOLLIPOP)
@Override
public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) {
inAppWebView.loadUrl(request.getUrl().toString());
return true;
}

@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
inAppWebView.loadUrl(url);
return true;
}
};

final WebView newWebView = new WebView(view.getContext());
newWebView.setWebViewClient(webViewClient);

final WebView.WebViewTransport transport = (WebView.WebViewTransport) resultMsg.obj;
transport.setWebView(newWebView);
resultMsg.sendToTarget();

return true;
}
}

0 comments on commit e1d0777

Please sign in to comment.