Merge "Update security-related WebView documentation." into pi-dev am: 4611a2e1

    /**

     * Proceed with the SSL certificate.

     * <p>

     * It is not recommended to proceed past SSL errors and this method should

     * generally not be used; see {@link WebViewClient#onReceivedSslError} for

     * more information.

     */

    public void proceed() {}

     * the new WebView as an argument. If the host application chooses not to

     * honor the request, it should return {@code false} from this method. The default

     * implementation of this method does nothing and hence returns {@code false}.

     * <p>

     * Applications should typically not allow windows to be created when the

     * {@code isUserGesture} flag is false, as this may be an unwanted popup.

     * <p>

     * Applications should be careful how they display the new window: don't simply

     * overlay it over the existing WebView as this may mislead the user about which

     * site they are viewing. If your application displays the URL of the main page,

     * make sure to also display the URL of the new window in a similar fashion. If

     * your application does not display URLs, consider disallowing the creation of

     * new windows entirely.

     * <p class="note"><b>Note:</b> There is no trustworthy way to tell which page

     * requested the new window: the request might originate from a third-party iframe

     * inside the WebView.

     *

     * @param view The WebView from which the request for a new window

     *             originated.

     * @param isDialog {@code true} if the new window should be a dialog, rather than

     * from the view system if necessary. At this point, WebCore has stopped

     * any loading in this window and has removed any cross-scripting ability

     * in javascript.

     * <p>

     * As with {@link #onCreateWindow}, the application should ensure that any

     * URL or security indicator displayed is updated so that the user can tell

     * that the page they were interacting with has been closed.

     *

     * @param window The WebView that needs to be closed.

     */

    public void onCloseWindow(WebView window) {}

     * If {@code null}, defaults to 'text/html'.

     * <p>

     * The 'data' scheme URL formed by this method uses the default US-ASCII

     * charset. If you need need to set a different charset, you should form a

     * charset. If you need to set a different charset, you should form a

     * 'data' scheme URL which explicitly specifies a charset parameter in the

     * mediatype portion of the URL and call {@link #loadUrl(String)} instead.

     * Note that the charset obtained from the mediatype portion of a data URL

     * always overrides that specified in the HTML or XML document itself.

     * <p>

     * Content loaded using this method will have a {@code window.origin} value

     * of {@code "null"}. This must not be considered to be a trusted origin

     * by the application or by any JavaScript code running inside the WebView

     * (for example, event sources in DOM event handlers or web messages),

     * because malicious content can also create frames with a null origin. If

     * you need to identify the main frame's origin in a trustworthy way, you

     * should use {@link #loadDataWithBaseURL(String,String,String,String,String)

     * loadDataWithBaseURL()} with a valid HTTP or HTTPS base URL to set the

     * origin.

     *

     * @param data a String of data in the given encoding

     * @param mimeType the MIME type of the data, e.g. 'text/html'.

     * <p>

     * Note that the baseUrl is sent in the 'Referer' HTTP header when

     * requesting subresources (images, etc.) of the page loaded using this method.

     * <p>

     * If a valid HTTP or HTTPS base URL is not specified in {@code baseUrl}, then

     * content loaded using this method will have a {@code window.origin} value

     * of {@code "null"}. This must not be considered to be a trusted origin

     * by the application or by any JavaScript code running inside the WebView

     * (for example, event sources in DOM event handlers or web messages),

     * because malicious content can also create frames with a null origin. If

     * you need to identify the main frame's origin in a trustworthy way, you

     * should use a valid HTTP or HTTPS base URL to set the origin.

     *

     * @param baseUrl the URL to use as the page's base URL. If {@code null} defaults to

     *                'about:blank'.

     * <p>

     * A target origin can be set as a wildcard ("*"). However this is not recommended.

     * See the page above for security issues.

     * <p>

     * Content loaded via {@link #loadData(String,String,String)} will not have a

     * valid origin, and thus cannot be sent messages securely. If you need to send

     * messages using this function, you should use

     * {@link #loadDataWithBaseURL(String,String,String,String,String)} with a valid

     * HTTP or HTTPS {@code baseUrl} to define a valid origin that can be used for

     * messaging.

     *

     * @param message the WebMessage

     * @param targetOrigin the target origin.

     * handler.proceed(). Note that the decision may be retained for use in

     * response to future SSL errors. The default behavior is to cancel the

     * load.

     * <p>

     * Applications are advised not to prompt the user about SSL errors, as

     * the user is unlikely to be able to make an informed security decision

     * and WebView does not provide any UI for showing the details of the

     * error in a meaningful way.

     * <p>

     * Application overrides of this method may display custom error pages or

     * silently log issues, but it is strongly recommended to always call

     * handler.cancel() and never allow proceeding past errors.

     *

     * @param view The WebView that is initiating the callback.

     * @param handler An SslErrorHandler object that will handle the user's