Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a9e2ed7b authored by Changwan Ryu's avatar Changwan Ryu
Browse files

webkit: add a note regarding FLAG_SECURE for default dialogs 

Child windows do not inherit FLAG_SECURE from parent windows, and
therefore, the default dialogs for JS callbacks do not have this flag
even when the app window has it.

This CL adds a note warning about this behavior to mitigate the
potential vulnerability.

Bug: 120086187
Test: m -j offline-sdk-docs seems not broken
Change-Id: I12f12befd1f303d26ebc866f4817f5184279caeb
parent 67be1e7a

core/java/android/webkit/WebChromeClient.java

+8 −0
Original line number Diff line number Diff line
@@ -205,6 +205,8 @@ public class WebChromeClient { 
     * <p>Note that if the {@link WebChromeClient} is set to be {@code null},

     * or if {@link WebChromeClient} is not set at all, the default dialog will

     * be suppressed and Javascript execution will continue immediately.

     * <p>Note that the default dialog does not inherit the {@link

     * android.view.Display#FLAG_SECURE} flag from the parent window.

     *

     * @param view The WebView that initiated the callback.

     * @param url The url of the page requesting the dialog.
@@ -240,6 +242,8 @@ public class WebChromeClient { 
     * or if {@link WebChromeClient} is not set at all, the default dialog will

     * be suppressed and the default value of {@code false} will be returned to

     * the JavaScript code immediately.

     * <p>Note that the default dialog does not inherit the {@link

     * android.view.Display#FLAG_SECURE} flag from the parent window.

     *

     * @param view The WebView that initiated the callback.

     * @param url The url of the page requesting the dialog.
@@ -274,6 +278,8 @@ public class WebChromeClient { 
     * or if {@link WebChromeClient} is not set at all, the default dialog will

     * be suppressed and {@code null} will be returned to the JavaScript code

     * immediately.

     * <p>Note that the default dialog does not inherit the {@link

     * android.view.Display#FLAG_SECURE} flag from the parent window.

     *

     * @param view The WebView that initiated the callback.

     * @param url The url of the page requesting the dialog.
@@ -308,6 +314,8 @@ public class WebChromeClient { 
     * <p>Note that if the {@link WebChromeClient} is set to be {@code null},

     * or if {@link WebChromeClient} is not set at all, the default dialog will

     * be suppressed and the navigation will be resumed immediately.

     * <p>Note that the default dialog does not inherit the {@link

     * android.view.Display#FLAG_SECURE} flag from the parent window.

     *

     * @param view The WebView that initiated the callback.

     * @param url The url of the page requesting the dialog.