Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 04a454f6 authored by Shimi Zhang's avatar Shimi Zhang
Browse files

aw: Correct doc of addJavascriptInterface() 

The Javadoc of addJavascriptInterface() mentioned that the injected
Java object will be injected to main frame, but this is not telling
a full picture. The current implementation will inject the Java
object to all the frames actually.

This CL corrected the misleading wording and add a new warning to
explicitly call it out as a security risk.

Bug: 113336656
Test: make ds-docs
Change-Id: Ia79381d1ab38afa963ea7365526749c14e25238c
parent 0141ef09

core/java/android/webkit/WebView.java

+7 −2
Original line number Diff line number Diff line
@@ -1840,8 +1840,8 @@ public class WebView extends AbsoluteLayout 


    /**

     * Injects the supplied Java object into this WebView. The object is

     * injected into the JavaScript context of the main frame, using the

     * supplied name. This allows the Java object's methods to be

     * injected into all frames of the web page, including all the iframes,

     * using the supplied name. This allows the Java object's methods to be

     * accessed from JavaScript. For applications targeted to API

     * level {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1}

     * and above, only public methods that are annotated with
@@ -1880,6 +1880,11 @@ public class WebView extends AbsoluteLayout 
     * thread of this WebView. Care is therefore required to maintain thread

     * safety.

     * </li>

     * <li> Because the object is exposed to all the frames, any frame could

     * obtain the object name and call methods on it. There is no way to tell the

     * calling frame's origin from the app side, so the app must not assume that

     * the caller is trustworthy unless the app can guarantee that no third party

     * content is ever loaded into the WebView even inside an iframe.</li>

     * <li> The Java object's fields are not accessible.</li>

     * <li> For applications targeted to API level {@link android.os.Build.VERSION_CODES#LOLLIPOP}

     * and above, methods of injected Java objects are enumerable from