diff options
| author | Shimi Zhang <ctzsm@google.com> | 2019-08-26 11:01:12 -0700 |
|---|---|---|
| committer | Shimi Zhang <ctzsm@google.com> | 2019-08-26 13:36:00 -0700 |
| commit | 04a454f6a746fccb7181426637e7cf0c73d665ce (patch) | |
| tree | f8a5b40fad76e014ca01405a39c72651a08e943c /core/java/android/webkit/WebView.java | |
| parent | 0141ef09483f1bb92b028f821b03561097442cd9 (diff) | |
aw: Correct doc of addJavascriptInterface()
The Javadoc of addJavascriptInterface() mentioned that the injected
Java object will be injected to main frame, but this is not telling
a full picture. The current implementation will inject the Java
object to all the frames actually.
This CL corrected the misleading wording and add a new warning to
explicitly call it out as a security risk.
Bug: 113336656
Test: make ds-docs
Change-Id: Ia79381d1ab38afa963ea7365526749c14e25238c
Diffstat (limited to 'core/java/android/webkit/WebView.java')
| -rw-r--r-- | core/java/android/webkit/WebView.java | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/core/java/android/webkit/WebView.java b/core/java/android/webkit/WebView.java index aed6c9c3ab6a..c50c08ead195 100644 --- a/core/java/android/webkit/WebView.java +++ b/core/java/android/webkit/WebView.java @@ -1840,8 +1840,8 @@ public class WebView extends AbsoluteLayout /** * Injects the supplied Java object into this WebView. The object is - * injected into the JavaScript context of the main frame, using the - * supplied name. This allows the Java object's methods to be + * injected into all frames of the web page, including all the iframes, + * using the supplied name. This allows the Java object's methods to be * accessed from JavaScript. For applications targeted to API * level {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1} * and above, only public methods that are annotated with @@ -1880,6 +1880,11 @@ public class WebView extends AbsoluteLayout * thread of this WebView. Care is therefore required to maintain thread * safety. * </li> + * <li> Because the object is exposed to all the frames, any frame could + * obtain the object name and call methods on it. There is no way to tell the + * calling frame's origin from the app side, so the app must not assume that + * the caller is trustworthy unless the app can guarantee that no third party + * content is ever loaded into the WebView even inside an iframe.</li> * <li> The Java object's fields are not accessible.</li> * <li> For applications targeted to API level {@link android.os.Build.VERSION_CODES#LOLLIPOP} * and above, methods of injected Java objects are enumerable from |