-
Notifications
You must be signed in to change notification settings - Fork 9.8k
[webview_flutter] [url_launcher] Handle Multiwindows in WebViews #2991
Conversation
.../webview_flutter/android/src/main/java/io/flutter/plugins/webviewflutter/FlutterWebView.java
Show resolved
Hide resolved
@Override | ||
public boolean onCreateWindow( | ||
final WebView view, boolean isDialog, boolean isUserGesture, Message resultMsg) { | ||
final WebViewClient webViewClient = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I understand this part, it seems like we're creating a new WebViewClient type and delegate some of the calls to the existing flutterWebViewClient, do we not want all functionality implemented by FlutterWebViewClient to work for the new WebView as well? (e.g should we not just use FlutterWebViewClient as the client for the new webview?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assumed that we only wanted the new WebView
to filter out non https
/http
calls and load any secure url. I'm not sure what else we would need it to do? Im assuming you're talking about returning WebResourceError
s and onPageStarted
/onPageFinished
callbacks. Won't our FlutterWebViewClient receive these after we call loadUrl
?
public boolean shouldOverrideUrlLoading( | ||
@NonNull WebView view, @NonNull WebResourceRequest request) { | ||
final String url = request.getUrl().toString(); | ||
if (isSecure(url)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I follow the logic here, can you comment on why we only delegate calls for http and https URLs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this can be addressed by resolving https://github.com/flutter/plugins/pull/2991/files#r483177693
return true; | ||
} | ||
|
||
private boolean isSecure(String url) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was a little confused by the name isSecure
, my initial guess when looking on the call site would have been "is it https"? though I'm not sure even why we're checking on this condition here.
final WebView view, boolean isDialog, boolean isUserGesture, Message resultMsg) { | ||
final WebViewClient webViewClient = | ||
new WebViewClient() { | ||
@TargetApi(Build.VERSION_CODES.LOLLIPOP) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what API needs this particular version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method should only be called in Android API 24+: https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideKeyEvent(android.webkit.WebView,%20android.view.KeyEvent)
However, WebResourceRequest.getUrl()
is only available in Android API 21: https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideKeyEvent(android.webkit.WebView,%20android.view.KeyEvent)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
understood
} | ||
|
||
private boolean isSecure(String url) { | ||
return url.startsWith("https://") || url.startsWith("http://"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest we rename this as: isJavaScriptScheme(String url)
and check for url.startsWith("javascript:")
. Link to https://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-03 would be useful too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would only do this after we get an ok from the internal team. This method is currently just following their suggestion.
.../webview_flutter/android/src/main/java/io/flutter/plugins/webviewflutter/FlutterWebView.java
Show resolved
Hide resolved
@Override | ||
public boolean shouldOverrideUrlLoading(WebView view, String url) { | ||
if (isSecure(url)) { | ||
flutterWebViewClient.shouldOverrideUrlLoading(FlutterWebView.this.webView, url); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does invoking shouldOVerrideUrlLoading
has a side effect of loading the URL? It seems like our implementation of shouldOVerrideUrlLoading
introduces such a side effect on older webview versions only if a navigation delegate is set. Does this work when no navigation delegate is set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a test, so it does still work without a navigation delegate.
@@ -828,6 +828,40 @@ void main() { | |||
final String currentUrl = await controller.currentUrl(); | |||
expect(currentUrl, 'about:blank'); | |||
}); | |||
|
|||
testWidgets( | |||
'can open new window and go back', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this one is good, but what about a test case like the one in the internal doc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how to do a test like that. I would need to load a link that tries to open a window and test to see if javascript ran?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM + nit about adding test case
<!DOCTYPE html><html> | ||
<head><title>Resize test</title> | ||
<script> | ||
setTimeout(function() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this document needs to be inside the <iframe>
}, 0); | ||
</script> | ||
</head> | ||
<body onload="onLoad();" bgColor="blue"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
onLoad
isn't defined. Actually, you might be able to remove the setTimeout
and just define:
function onLoad() {
window.open('javascript:var elem = document.createElement("p");elem.innerHTML = "<b>Executed JS in parent origin: "+window.location.origin+"</b>"; document.body.append(elem);alert("XSS in doc.domain: "+document.domain+", win.origin: "+window.location.origin)');
}
final WebViewController controller = await controllerCompleter.future; | ||
final String result = await controller.evaluateJavascript( | ||
'document.querySelector("p") && document.querySelector("p").textContent'); | ||
expect(result, isEmpty); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be racy.
How do we know that the code inside the iframe has run at this point? One solution is to add a onLoad
handler to iframe
and set some global state once the event has fired. e.g. window.iframeLoaded = true
. Then, at this point check that window.iframeLoaded
is true
and document.querySelector("p") && document.querySelector("p").textContent
is empty.
|
||
final WebViewController controller = await controllerCompleter.future; | ||
final String result = await controller.evaluateJavascript( | ||
'iframeLoaded && document.querySelector("p") && document.querySelector("p").textContent', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking something like this:
expect(controller.evaluateJavascript('iframeLoaded'), completion('true'));
expect(controller.evaluateJavascript('document.querySelector("p") && document.querySelector("p").textContent'), isEmpty);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, when iframeLoaded
was false, it returned 'false'
, but I understand what you mean. done
(WidgetTester tester) async { | ||
final String openWindowTest = ''' | ||
<!DOCTYPE html><html> | ||
<head><title>Resize test</title> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uber nit: resize test -> XSS test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for the test.
Related Issues
Internal bug: b/159892679
Checklist
Before you create this PR confirm that it meets all requirements listed below by checking the relevant checkboxes (
[x]
). This will ensure a smooth and quick review process.///
).flutter analyze
) does not report any problems on my PR.Breaking Change
Does your PR require plugin users to manually update their apps to accommodate your change?