The title says it all. I would like to know about everything what the WebView is asking for. Some weird limitations like not knowing about XHR POST are not acceptable. In other words, something like iOS have in NSURLProtocol. That one is application-wide hook. I don't need such level of control, WebView-instance-specific hook would be good enough. Now, i know that nothing like that exists on Android out of the box. I know about shouldOverrideUrlLoading and shouldInterceptRequest, but it's largely unusable. I need to know about requests (method, HTTP version, headers, you know) not just merely the URL strings. Moreover the intercepting is awkwardly synchronous. What happens if shouldInterceptRequest call is blocked because i need to ask a different server for related resource? It appears to me being designed just for a local resource caching.
On the other hand, i am willing to throw anything at the problem. Some kind of native library, hooking into low level internals? Extending Chromium interfaces with help of an existing project (pwnall, mogoweb)? Reflecting into the existing webkit class privates? Application-specific proxy? Any insights appreciated. I have read through two dozens of existing SO questions. They all either suggest a partial hack (like working around XHR POST deficiency with JavaScript) or it goes unresponded altogether, very often.
Try with inspeckage:
https://github.com/ac-pm/Inspeckage
It needs Xposed and root access to work. I've been able to see WebView requests from apps. Im figuring out how to recreate them with Python's requests module.
Hope that helps.
If I understand your goal - try:
WebView.setWebContentsDebuggingEnabled(true);
Open Chrome and go to url chrome://inspect/#devices
for details:
https://developers.google.com/web/tools/chrome-devtools/remote-debugging
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/webviews
Related
As https://support.google.com/faqs/answer/9084685 mentioned, "WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. "
Does this mean that setJavaScriptEnabled(false) can fix the Cross App Scripting Vulnerability problem?
well, cross scripting won't work when you disable scripting (js) at all... look at points in Option 2 under link: all are related to JS and somehow limiting its usage. when you disable JS at all then there is nothing to limiting - scripting just doesn't work (also malicious)
note that there is a pleny of methods for breaking your app, with WebView there is potentially twice much...
The problem does not get solved by disabling javascript. Eg what happens if you insert html? might deface your app or site.
The best thing to do is validate ALL data as malicious until validated otherwise...
I am not a mobile dev really but I am sure you can add some way of authenticating the sources you deal with... Javascript Web Tokens are one way to handle this type of authentication. Perhaps someone with more android dev experience can correct me?
I have a service worker going fine in Chrome desktop and Chrome mobile, and I can tell exactly what is happening via the amazing DevTools in Chrome desktop (monitoring Chrome mobile remotely via USB). My service worker is based very closely on this example. The page reloads fine without a network connection, and from the Network tab of DevTools I can confirm that resources are being cached and served by the service worker as expected.
But I am also loading the same page in a WebView and I'm struggling to determine whether the service worker is actually registering properly and operating as it should. I can't see a way of debugging this in the same way as you can with DevTools in Chrome desktop/mobile.
What is certain is that the page doesn't reload without a connection when it is in the WebView, so some resources aren't being cached. This is despite the fact that service workers seem to be supported in WebView.
Looking around the place for possible steps or settings I might be missing to get it working as it does in Chrome, I came across ServiceWorkerController and ServiceWorkerWebSettings, but cannot find any documentation or examples for these (other than the basic docs linked). A search on StackOverflow for these terms gives zero results.
Is there a working example somewhere of a WebView that loads a page with attached service workers? Any idea how to use the above two classes... are they actually necessary?
This is only a partial answer, but hope it helps some anyways:
From what I can tell, the ServiceWorkerController is the Java implementation of ServiceWorker for WebView, which is separate from the Javascript implementation. The two do not seem to be tied together in any way.
The Java implementation is a singleton which persists and affects all WebViews in an application, and its only method is to intercept requests via shouldInterceptRequest. It is very similar to WebViewClient, the latter of which has more functionality and only affects the WebViews it is attached to (via setWebViewClient).
The link you posted does seem to indicate that WebViews do support the Javascript version of ServiceWorker. Did you by any chance miss enabling Javascript through WebSettings.setJavascriptEnabled? Also, ensure that you are targeting minimum SDK version 21 as ServiceWorkers are only enabled in Android 5.0 and higher. I am interested to know if you or anyone has managed to get a Javascript ServiceWorker functioning inside a WebView as well.
I thought this would be a common issue but I can't find an straight-forward answer to this problem. As soon as I included the Crosswalk WebView Engine for Android I'm getting the following Error Message:
"Only secure origins are allowed"
.... Presumably for http requests made to local and external servers (like http://localhost:3000 or https://my.own.server/) using the angular $http service.
What is THE Solution to this issue? After many hours of Googling I'm still clueless about how to solve this issue. Could you please point me in the right direction?
kind regards,
EDIT: This question is not related to permissions given in a server as it has been pointed out, it's actually related to Content Security Policy. As it can be read here, and I quote:
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
You have to understand that the WebView in this case is Crosswalk (which is Chromium underneath) and I need it to be configured so that I can make requests to both: local servers (http://localhost:3000, etc) and external ones (https://my.own.server).
This question is more akin to this one in my opinion.
How do I configure Crosswalk for an Ionic/Cordova app?
If you own the server then the easiest way to handle this is to add response header for:
Access-Control-Allow-Origin: *
Here are some a discussion in Stackoverflow itself.
Origin is not allowed by Access-Control-Allow-Origin
Good luck.
Disclaimer. I'm asking this on someone else's behalf and given that I know as much about Android development as penguins about flight, it may be clumsy. In such case, let me know and I'll remove it or try to reformulate.
I've created a web service that's reachable at the URL on the following form.
http://server/Blopp.svc/Store/value1/value2
The back-end part I've got covered but I'm worried about the front-end development. I've got a colleague that's making the app and he's got the rudimentary GUI done. However, in order not to do a lot of convoluted coding, he's heard that there's a certain library for making such URL calls.
What's the name of it? Is there certain other aspects to take into consideration or is there an (almost) standard one that everybody uses?
Please not that the app's functionality is at the moment limited to providing the web service with data. All the logic and presentation is done on the website and not inside the app.
I've never built up an Android app, so I'm asking for understanding if this is a dumb formulation. I just want to help my co-worker and he seemed to struggle with the details.
Is there perhaps a smoother way to make the call to a web service if I substitute the patter of the URL to use query strings? Any other approach that makes it easier for an Android developer? I'm not familiar with the area but I want to make things easy for my team-mate.
There are quite a few different HTTP libraries available and it would really depend on your specific requirements which one you used (if any - you can roll your own HTTP requests using HttpURLConnection) Two of the more popular ones are:
Volley
http://developer.android.com/training/volley/index.html
Written by one of the guys on the Google Play team and part of the AOSP. Very flexible and easy to use however I would hesitate to recommend it as it relies on the now deprecated Apache Http classes in its public API.
Retrofit
http://square.github.io/retrofit/
From Square. Version 2 is currently in late stages of beta. It allows you to define your API as an interface. It has dependancies on their OkHttp library as well. Very fast and also has RxJava support baked in.
The Phonegap documentation indicates that it is possible to get the app's browser wrapper to load a custom error URL instead of showing a generic message should the application encounter an error. I find myself asking two questions here:
From what I can tell this is an Android-only feature. So is there an equivalent method for iOS? The Phonegap iOS documentation does not say anything on the subject.
Secondly, can the error URL point to a separate HTML document in the project/www folder from which the application will be built or does it have to be an external URL. My thinking is that an external URL does not in fact make much sense - what if the application error happens when the user is not on a network?
I'd be most obliged to anyone who might be able to calriify these issues.
From OP
From what I can tell this is an Android-only feature. So is there an equivalent method for iOS? The Phonegap iOS documentation does not say anything on the subject.
There appears to be no equivalent for iOS in the documentation. You can safely assume, if it is not there, it is not available.
To be clear, the underlying iOS library has no default error method. On Android, there is a method for dealing with this.
Secondly, can the error URL point to a separate HTML document in the project/www folder from which the application will be built or does it have to be an external URL. My thinking is that an external URL does not in fact make much sense - what if the application error happens when the user is not on a network?
Your assumption is correct. The "error.html" should be on the device and in the www/ directory. The file should NOT be on the network/internet. You'd be surprised how many times I see this error.