Skip to content

v0.1.0-canary.6

Choose a tag to compare

View all tags
@mayankmahavar1mg mayankmahavar1mg released this 09 Mar 10:40
· 15 commits to main since this release
v0.1.0-canary.6
4015d75

Summary

Security hardening for the Catalyst Framework WebView layer across Android and iOS,
with native test suites added for all new bridge commands and pre-existing test
failures fixed.

Security fixes

  • allowBackup (Android): Replaced patchAndroidManifest Gradle task with
    manifestPlaceholders["allowBackup"]. Config-driven via
    WEBVIEW_CONFIG.android.security.allowBackup in config.json.

  • App switcher screen caching: Added setScreenSecure / getScreenSecure
    bridge commands. Android sets FLAG_SECURE; iOS manages a ScreenSecureManager
    overlay on sceneWillDeactivate.

  • Screenshots / local storage on logout: Added clearWebData bridge command.
    Clears WebView built-in cache + custom native disk cache (WebCacheManager on
    Android, CacheManager on iOS).

  • JSON injection (Android NativeBridge.kt): Fixed 3 error callback sites that
    were building JSON strings manually. Now use notifyWebJson + JSONObject for
    all responses.

JS bridge fixes

  • SSR / web safety (NativeBridge.js, useBaseHook.js): NativeBridgeUtil
    was constructed at module load time during SSR, freezing isNativeEnvironment = false permanently. Fixed isAvailable() to perform a live _detectAndroid() || _detectIOS() check at call time. Added callNative(fn) helper in
    useBaseHook.js for fire-and-forget native calls that silently no-op on web.
    Updated hooks.js to use callNative for setScreenSecure, getScreenSecure,
    and clearWebData.

  • BridgeMessageValidator (BridgeMessageValidator.kt): Replaced hardcoded
    validCommands set with CatalystConstants.Bridge.VALID_COMMANDS as single
    source of truth, adding setScreenSecure, getScreenSecure, and clearWebData.

Native test suites added

File Platform Tests
SecurityBridgeTest.kt Android 12
ScreenSecureManagerTests.swift iOS 8
BridgeCommandHandlerSecurityTests.swift iOS 8

Pre-existing test failures fixed

Test Root cause Fix
testNavigationHandling_AllowedURLLoading / BlockedURLNavigation decisionHandler called inside unstructured Task {}await MainActor.run; Task.yield() + 0.1s was racy
under load Replaced with XCTestExpectation + fulfillment(of:timeout:2.0)
testHTTPSServerSetup_ServerInitialization NWListener setup on main thread triggered UI-responsiveness warning Made test async, wrapped startServer() in Task.detached

|
| testFileServing_AddFileToServe | NWListener state race — handler could set isServerRunning = false after startServer() returned | Added Thread.sleep(0.3s) after start to
let listener state settle |
| testSizeManagement_DiskUsageTracking | getCacheStatistics() read URLCache.currentDiskUsage which doesn't count custom .cache files | Fixed to enumerate .cache files and
sum sizes |
| WebViewTests navigation tests | WebViewNavigationDelegate.init gained initialURL: URL? param in last merge but WebViewTests was not updated | Passed initialURL: nil |

iOS code coverage

Enabled codeCoverage: true in iosnativeWebView.xctestplan for all targets.

Test coverage

376 tests passing, 0 failures (196 Android · 180 iOS) · iOS code coverage 89%

Assets 2
Loading