Merge "Make JavascriptInterface annotation public." into jb-mr1-dev (4f8da32f) · Commits · e / os / android_frameworks_base

api/current.txt

+3 −0

Original line number	Diff line number	Diff line
		@@ -26943,6 +26943,9 @@ package android.webkit {
		method public boolean useHttpAuthUsernamePassword();
		}

		public abstract class JavascriptInterface implements java.lang.annotation.Annotation {
		}

		public class JsPromptResult extends android.webkit.JsResult {
		method public void confirm(java.lang.String);
		}

core/java/android/webkit/JavascriptInterface.java

+1 −2

Original line number	Diff line number	Diff line
		@@ -25,9 +25,8 @@ import java.lang.annotation.Target;
		* Annotation that allows exposing methods to JavaScript. Starting from API level
		* {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1} and above, only methods explicitly
		* marked with this annotation are available to the Javascript code. See
		* {@link android.webkit.Webview#addJavaScriptInterface} for more information about it.
		* {@link android.webkit.WebView#addJavascriptInterface} for more information about it.
		*
		* @hide
		*/
		@SuppressWarnings("javadoc")
		@Retention(RetentionPolicy.RUNTIME)

core/java/android/webkit/WebView.java

+17 −8

Original line number	Diff line number	Diff line
		@@ -26,7 +26,6 @@ import android.graphics.Picture;
		import android.graphics.Rect;
		import android.graphics.drawable.Drawable;
		import android.net.http.SslCertificate;
		import android.os.Build;
		import android.os.Bundle;
		import android.os.Looper;
		import android.os.Message;
		@@ -1494,10 +1493,20 @@ public class WebView extends AbsoluteLayout
		/**
		* Injects the supplied Java object into this WebView. The object is
		* injected into the JavaScript context of the main frame, using the
		* supplied name. This allows the Java object's public methods to be
		* accessed from JavaScript. Note that that injected objects will not
		* supplied name. This allows the Java object's methods to be
		* accessed from JavaScript. For API level {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1}
		* and above, only public methods that are annotated with
		* {@link android.webkit.JavascriptInterface} can be accessed from JavaScript.
		* For API level {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or below,
		* all public methods (including the inherited ones) can be accessed, see the
		* important security note below for implications. Note that injected objects will not
		* appear in JavaScript until the page is next (re)loaded. For example:
		* <pre> webView.addJavascriptInterface(new Object(), "injectedObject");
		* <pre>
		* class JsObject {
		* {@literal @}JavascriptInterface
		* public String toString() { return "injectedObject"; }
		* }
		* webView.addJavascriptInterface(new JsObject(), "injectedObject");
		* webView.loadData("<!DOCTYPE html><title></title>", "text/html", null);
		* webView.loadUrl("javascript:alert(injectedObject.toString())");</pre>
		* <p>
		@@ -1505,7 +1514,9 @@ public class WebView extends AbsoluteLayout
		* <ul>
		* <li> This method can be used to allow JavaScript to control the host
		* application. This is a powerful feature, but also presents a security
		* risk, particularly as JavaScript could use reflection to access an
		* risk for applications targeting API level
		* {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or below, because
		* JavaScript could use reflection to access an
		* injected object's public fields. Use of this method in a WebView
		* containing untrusted content could allow an attacker to manipulate the
		* host application in unintended ways, executing Java code with the
		@@ -1514,6 +1525,7 @@ public class WebView extends AbsoluteLayout
		* <li> JavaScript interacts with Java object on a private, background
		* thread of this WebView. Care is therefore required to maintain thread
		* safety.</li>
		* <li> The Java object's fields are not accessible.</li>
		* </ul>
		*
		* @param object the Java object to inject into this WebView's JavaScript
		@@ -1523,9 +1535,6 @@ public class WebView extends AbsoluteLayout
		public void addJavascriptInterface(Object object, String name) {
		checkThread();
		mProvider.addJavascriptInterface(object, name);
		// TODO in a separate CL provide logic to enable annotations for API level JB_MR1 and above. Don't forget to
		// update the doc, set a link to annotation and unhide the annotation.
		// also describe that fields of java objects are not accessible from JS.
		}

		/**

core/java/android/webkit/WebViewClassic.java

+10 −2

Original line number	Diff line number	Diff line
		@@ -55,6 +55,7 @@ import android.net.ProxyProperties;
		import android.net.Uri;
		import android.net.http.SslCertificate;
		import android.os.AsyncTask;
		import android.os.Build;
		import android.os.Bundle;
		import android.os.Handler;
		import android.os.Looper;
		@@ -4119,10 +4120,17 @@ public final class WebViewClassic implements WebViewProvider, WebViewProvider.Sc
		return;
		}
		WebViewCore.JSInterfaceData arg = new WebViewCore.JSInterfaceData();
		// TODO in a separate CL provide logic to enable annotations for API level JB_MR1 and above.

		arg.mObject = object;
		arg.mInterfaceName = name;

		// starting with JELLY_BEAN_MR1, annotations are mandatory for enabling access to
		// methods that are accessible from JS.
		if (mContext.getApplicationInfo().targetSdkVersion >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
		arg.mRequireAnnotation = true;
		} else {
		arg.mRequireAnnotation = false;
		}
		mWebViewCore.sendMessage(EventHub.ADD_JS_INTERFACE, arg);
		}