Loading api/current.txt +3 −3 Original line number Original line Diff line number Diff line Loading @@ -58002,7 +58002,7 @@ package android.webkit { method @Deprecated public abstract void removeSessionCookie(); method @Deprecated public abstract void removeSessionCookie(); method public abstract void removeSessionCookies(@Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void removeSessionCookies(@Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void setAcceptCookie(boolean); method public abstract void setAcceptCookie(boolean); method public static void setAcceptFileSchemeCookies(boolean); method @Deprecated public static void setAcceptFileSchemeCookies(boolean); method public abstract void setAcceptThirdPartyCookies(android.webkit.WebView, boolean); method public abstract void setAcceptThirdPartyCookies(android.webkit.WebView, boolean); method public abstract void setCookie(String, String); method public abstract void setCookie(String, String); method public abstract void setCookie(String, String, @Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void setCookie(String, String, @Nullable android.webkit.ValueCallback<java.lang.Boolean>); Loading Loading @@ -58367,8 +58367,8 @@ package android.webkit { method public abstract String getUserAgentString(); method public abstract String getUserAgentString(); method public abstract void setAllowContentAccess(boolean); method public abstract void setAllowContentAccess(boolean); method public abstract void setAllowFileAccess(boolean); method public abstract void setAllowFileAccess(boolean); method public abstract void setAllowFileAccessFromFileURLs(boolean); method @Deprecated public abstract void setAllowFileAccessFromFileURLs(boolean); method public abstract void setAllowUniversalAccessFromFileURLs(boolean); method @Deprecated public abstract void setAllowUniversalAccessFromFileURLs(boolean); method public abstract void setAppCacheEnabled(boolean); method public abstract void setAppCacheEnabled(boolean); method @Deprecated public abstract void setAppCacheMaxSize(long); method @Deprecated public abstract void setAppCacheMaxSize(long); method public abstract void setAppCachePath(String); method public abstract void setAppCachePath(String); core/java/android/webkit/CookieManager.java +19 −8 Original line number Original line Diff line number Diff line Loading @@ -268,17 +268,28 @@ public abstract class CookieManager { protected abstract boolean allowFileSchemeCookiesImpl(); protected abstract boolean allowFileSchemeCookiesImpl(); /** /** * Sets whether the application's {@link WebView} instances should send and * Sets whether the application's {@link WebView} instances should send and accept cookies for * accept cookies for file scheme URLs. * file scheme URLs. * Use of cookies with file scheme URLs is potentially insecure and turned * <p> * off by default. * Use of cookies with file scheme URLs is potentially insecure and turned off by default. All * Do not use this feature unless you can be sure that no unintentional * {@code file://} URLs share all their cookies, which may lead to leaking private app cookies * sharing of cookie data can take place. * (ex. any malicious file can access cookies previously set by other (trusted) files). * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link WebSettings#setAllowFileAccess}. * Using <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load files over {@code http(s)://} URLs allows * the standard web security model to be used for setting and sharing cookies for local files. * <p> * <p> * Note that calls to this method will have no effect if made after a * Note that calls to this method will have no effect if made after calling other * {@link WebView} or CookieManager instance has been created. * {@link CookieManager} APIs. * * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> instead. */ */ // Static for backward compatibility. // Static for backward compatibility. @Deprecated public static void setAcceptFileSchemeCookies(boolean accept) { public static void setAcceptFileSchemeCookies(boolean accept) { getInstance().setAcceptFileSchemeCookiesImpl(accept); getInstance().setAcceptFileSchemeCookiesImpl(accept); } } Loading core/java/android/webkit/WebSettings.java +45 −30 Original line number Original line Diff line number Diff line Loading @@ -983,48 +983,63 @@ public abstract class WebSettings { public abstract void setJavaScriptEnabled(boolean flag); public abstract void setJavaScriptEnabled(boolean flag); /** /** * Sets whether JavaScript running in the context of a file scheme URL * Sets whether cross-origin requests in the context of a file scheme URL should be allowed to * should be allowed to access content from any origin. This includes * access content from <i>any</i> origin. This includes access to content from other file * access to content from other file scheme URLs. See * scheme URLs or web contexts. Note that some access such as image HTML elements doesn't * {@link #setAllowFileAccessFromFileURLs}. To enable the most restrictive, * follow same-origin rules and isn't affected by this setting. * and therefore secure policy, this setting should be disabled. * <p> * Note that this setting affects only JavaScript access to file scheme * <b>Don't</b> enable this setting if you open files that may be created or altered by * resources. Other access to such resources, for example, from image HTML * external sources. Enabling this setting allows malicious scripts loaded in a {@code file://} * elements, is unaffected. To prevent possible violation of same domain policy * context to launch cross-site scripting attacks, either accessing arbitrary local files * when targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, * including WebView cookies, app private data or even credentials used on arbitrary web sites. * you should explicitly set this value to {@code false}. * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link #setAllowFileAccess}. * <p> * <p> * The default value is {@code true} for apps targeting * The default value is {@code true} for apps targeting * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, and {@code false} * and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} and above. To prevent * and above. * possible violation of same domain policy when targeting * * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, you should * @param flag whether JavaScript running in the context of a file scheme * explicitly set this value to {@code false}. * URL should be allowed to access content from any origin * * @param flag whether JavaScript running in the context of a file scheme URL should be allowed * to access content from any origin * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load file content securely. */ */ @Deprecated public abstract void setAllowUniversalAccessFromFileURLs(boolean flag); public abstract void setAllowUniversalAccessFromFileURLs(boolean flag); /** /** * Sets whether JavaScript running in the context of a file scheme URL * Sets whether cross-origin requests in the context of a file scheme URL should be allowed to * should be allowed to access content from other file scheme URLs. To * access content from other file scheme URLs. Note that some accesses such as image HTML * enable the most restrictive, and therefore secure, policy this setting * elements don't follow same-origin rules and aren't affected by this setting. * should be disabled. Note that the value of this setting is ignored if * the value of {@link #getAllowUniversalAccessFromFileURLs} is {@code true}. * Note too, that this setting affects only JavaScript access to file scheme * resources. Other access to such resources, for example, from image HTML * elements, is unaffected. To prevent possible violation of same domain policy * when targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, * you should explicitly set this value to {@code false}. * <p> * <p> * The default value is {@code true} for apps targeting * <b>Don't</b> enable this setting if you open files that may be created or altered by * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, * external sources. Enabling this setting allows malicious scripts loaded in a {@code file://} * and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * context to access arbitrary local files including WebView cookies and app private data. * and above. * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link #setAllowFileAccess}. * <p> * Note that the value of this setting is ignored if the value of * {@link #getAllowUniversalAccessFromFileURLs} is {@code true}. The default value is * {@code true} for apps targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} * and below, and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * and above. To prevent possible violation of same domain policy when targeting * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, you should * explicitly set this value to {@code false}. * * * @param flag whether JavaScript running in the context of a file scheme * @param flag whether JavaScript running in the context of a file scheme * URL should be allowed to access content from other file * URL should be allowed to access content from other file * scheme URLs * scheme URLs * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load file content securely. */ */ @Deprecated public abstract void setAllowFileAccessFromFileURLs(boolean flag); public abstract void setAllowFileAccessFromFileURLs(boolean flag); /** /** Loading Loading
api/current.txt +3 −3 Original line number Original line Diff line number Diff line Loading @@ -58002,7 +58002,7 @@ package android.webkit { method @Deprecated public abstract void removeSessionCookie(); method @Deprecated public abstract void removeSessionCookie(); method public abstract void removeSessionCookies(@Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void removeSessionCookies(@Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void setAcceptCookie(boolean); method public abstract void setAcceptCookie(boolean); method public static void setAcceptFileSchemeCookies(boolean); method @Deprecated public static void setAcceptFileSchemeCookies(boolean); method public abstract void setAcceptThirdPartyCookies(android.webkit.WebView, boolean); method public abstract void setAcceptThirdPartyCookies(android.webkit.WebView, boolean); method public abstract void setCookie(String, String); method public abstract void setCookie(String, String); method public abstract void setCookie(String, String, @Nullable android.webkit.ValueCallback<java.lang.Boolean>); method public abstract void setCookie(String, String, @Nullable android.webkit.ValueCallback<java.lang.Boolean>); Loading Loading @@ -58367,8 +58367,8 @@ package android.webkit { method public abstract String getUserAgentString(); method public abstract String getUserAgentString(); method public abstract void setAllowContentAccess(boolean); method public abstract void setAllowContentAccess(boolean); method public abstract void setAllowFileAccess(boolean); method public abstract void setAllowFileAccess(boolean); method public abstract void setAllowFileAccessFromFileURLs(boolean); method @Deprecated public abstract void setAllowFileAccessFromFileURLs(boolean); method public abstract void setAllowUniversalAccessFromFileURLs(boolean); method @Deprecated public abstract void setAllowUniversalAccessFromFileURLs(boolean); method public abstract void setAppCacheEnabled(boolean); method public abstract void setAppCacheEnabled(boolean); method @Deprecated public abstract void setAppCacheMaxSize(long); method @Deprecated public abstract void setAppCacheMaxSize(long); method public abstract void setAppCachePath(String); method public abstract void setAppCachePath(String);
core/java/android/webkit/CookieManager.java +19 −8 Original line number Original line Diff line number Diff line Loading @@ -268,17 +268,28 @@ public abstract class CookieManager { protected abstract boolean allowFileSchemeCookiesImpl(); protected abstract boolean allowFileSchemeCookiesImpl(); /** /** * Sets whether the application's {@link WebView} instances should send and * Sets whether the application's {@link WebView} instances should send and accept cookies for * accept cookies for file scheme URLs. * file scheme URLs. * Use of cookies with file scheme URLs is potentially insecure and turned * <p> * off by default. * Use of cookies with file scheme URLs is potentially insecure and turned off by default. All * Do not use this feature unless you can be sure that no unintentional * {@code file://} URLs share all their cookies, which may lead to leaking private app cookies * sharing of cookie data can take place. * (ex. any malicious file can access cookies previously set by other (trusted) files). * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link WebSettings#setAllowFileAccess}. * Using <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load files over {@code http(s)://} URLs allows * the standard web security model to be used for setting and sharing cookies for local files. * <p> * <p> * Note that calls to this method will have no effect if made after a * Note that calls to this method will have no effect if made after calling other * {@link WebView} or CookieManager instance has been created. * {@link CookieManager} APIs. * * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> instead. */ */ // Static for backward compatibility. // Static for backward compatibility. @Deprecated public static void setAcceptFileSchemeCookies(boolean accept) { public static void setAcceptFileSchemeCookies(boolean accept) { getInstance().setAcceptFileSchemeCookiesImpl(accept); getInstance().setAcceptFileSchemeCookiesImpl(accept); } } Loading
core/java/android/webkit/WebSettings.java +45 −30 Original line number Original line Diff line number Diff line Loading @@ -983,48 +983,63 @@ public abstract class WebSettings { public abstract void setJavaScriptEnabled(boolean flag); public abstract void setJavaScriptEnabled(boolean flag); /** /** * Sets whether JavaScript running in the context of a file scheme URL * Sets whether cross-origin requests in the context of a file scheme URL should be allowed to * should be allowed to access content from any origin. This includes * access content from <i>any</i> origin. This includes access to content from other file * access to content from other file scheme URLs. See * scheme URLs or web contexts. Note that some access such as image HTML elements doesn't * {@link #setAllowFileAccessFromFileURLs}. To enable the most restrictive, * follow same-origin rules and isn't affected by this setting. * and therefore secure policy, this setting should be disabled. * <p> * Note that this setting affects only JavaScript access to file scheme * <b>Don't</b> enable this setting if you open files that may be created or altered by * resources. Other access to such resources, for example, from image HTML * external sources. Enabling this setting allows malicious scripts loaded in a {@code file://} * elements, is unaffected. To prevent possible violation of same domain policy * context to launch cross-site scripting attacks, either accessing arbitrary local files * when targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, * including WebView cookies, app private data or even credentials used on arbitrary web sites. * you should explicitly set this value to {@code false}. * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link #setAllowFileAccess}. * <p> * <p> * The default value is {@code true} for apps targeting * The default value is {@code true} for apps targeting * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, and {@code false} * and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} and above. To prevent * and above. * possible violation of same domain policy when targeting * * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, you should * @param flag whether JavaScript running in the context of a file scheme * explicitly set this value to {@code false}. * URL should be allowed to access content from any origin * * @param flag whether JavaScript running in the context of a file scheme URL should be allowed * to access content from any origin * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load file content securely. */ */ @Deprecated public abstract void setAllowUniversalAccessFromFileURLs(boolean flag); public abstract void setAllowUniversalAccessFromFileURLs(boolean flag); /** /** * Sets whether JavaScript running in the context of a file scheme URL * Sets whether cross-origin requests in the context of a file scheme URL should be allowed to * should be allowed to access content from other file scheme URLs. To * access content from other file scheme URLs. Note that some accesses such as image HTML * enable the most restrictive, and therefore secure, policy this setting * elements don't follow same-origin rules and aren't affected by this setting. * should be disabled. Note that the value of this setting is ignored if * the value of {@link #getAllowUniversalAccessFromFileURLs} is {@code true}. * Note too, that this setting affects only JavaScript access to file scheme * resources. Other access to such resources, for example, from image HTML * elements, is unaffected. To prevent possible violation of same domain policy * when targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, * you should explicitly set this value to {@code false}. * <p> * <p> * The default value is {@code true} for apps targeting * <b>Don't</b> enable this setting if you open files that may be created or altered by * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and below, * external sources. Enabling this setting allows malicious scripts loaded in a {@code file://} * and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * context to access arbitrary local files including WebView cookies and app private data. * and above. * <p class="note"> * Loading content via {@code file://} URLs is generally discouraged. See the note in * {@link #setAllowFileAccess}. * <p> * Note that the value of this setting is ignored if the value of * {@link #getAllowUniversalAccessFromFileURLs} is {@code true}. The default value is * {@code true} for apps targeting {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} * and below, and {@code false} when targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} * and above. To prevent possible violation of same domain policy when targeting * {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH_MR1} and earlier, you should * explicitly set this value to {@code false}. * * * @param flag whether JavaScript running in the context of a file scheme * @param flag whether JavaScript running in the context of a file scheme * URL should be allowed to access content from other file * URL should be allowed to access content from other file * scheme URLs * scheme URLs * @deprecated This setting is not secure, please use * <a href="{@docRoot}reference/androidx/webkit/WebViewAssetLoader.html"> * androidx.webkit.WebViewAssetLoader</a> to load file content securely. */ */ @Deprecated public abstract void setAllowFileAccessFromFileURLs(boolean flag); public abstract void setAllowFileAccessFromFileURLs(boolean flag); /** /** Loading
