Merge "aw: Correct doc of addJavascriptInterface()" into qt-dev am: 62c764e29b am: d081f1064d am: 0922cc17be

am: 3446691be1

Change-Id: I8d7b836d8582fd63cc5bedfa4c7961f2c6603672

1 files changed, 7 insertions, 2 deletions

diff --git a/core/java/android/webkit/WebView.java b/core/java/android/webkit/WebView.java
index e4b5eaa56aa6..87be30f476b2 100644
--- a/core/java/android/webkit/WebView.java
+++ b/core/java/android/webkit/WebView.java
@@ -1843,8 +1843,8 @@ public class WebView extends AbsoluteLayout
 
     /**
      * Injects the supplied Java object into this WebView. The object is
-     * injected into the JavaScript context of the main frame, using the
-     * supplied name. This allows the Java object's methods to be
+     * injected into all frames of the web page, including all the iframes,
+     * using the supplied name. This allows the Java object's methods to be
      * accessed from JavaScript. For applications targeted to API
      * level {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1}
      * and above, only public methods that are annotated with
@@ -1883,6 +1883,11 @@ public class WebView extends AbsoluteLayout
      * thread of this WebView. Care is therefore required to maintain thread
      * safety.
      * </li>
+     * <li> Because the object is exposed to all the frames, any frame could
+     * obtain the object name and call methods on it. There is no way to tell the
+     * calling frame's origin from the app side, so the app must not assume that
+     * the caller is trustworthy unless the app can guarantee that no third party
+     * content is ever loaded into the WebView even inside an iframe.</li>
      * <li> The Java object's fields are not accessible.</li>
      * <li> For applications targeted to API level {@link android.os.Build.VERSION_CODES#LOLLIPOP}
      * and above, methods of injected Java objects are enumerable from