From e5215b4853fa1d89be697fbbe22517d3279ae4de Mon Sep 17 00:00:00 2001 From: Bernardo Rufino Date: Mon, 11 Jan 2021 16:16:08 +0000 Subject: Document go/untrusted-touches The only public API (that I know!) that let touches pass-through is FLAG_NOT_TOUCHABLE, so I've put the rules that relate to app-developers there. Please let me know if there are any other public APIs that makes a window let touches pass-through. The other one I know of is ViewTreeObserver.addOnComputeInternalInsetsListener() that let's you specify the touchableRegion, but that's not public. (The feature works regardless of the API used to make the window pass-through) The docs are a shorter version of the "Rules" section of go/untrusted-touches. Bug: 158002302 Fix: 173022596 Test: Build Change-Id: Ic7ba68f03587112db2cc93128ac41cb09d443127 --- core/java/android/view/WindowManager.java | 49 ++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'core/java/android/view/WindowManager.java') diff --git a/core/java/android/view/WindowManager.java b/core/java/android/view/WindowManager.java index 482f2f07499d..7f639fff20e6 100644 --- a/core/java/android/view/WindowManager.java +++ b/core/java/android/view/WindowManager.java @@ -1518,7 +1518,54 @@ public interface WindowManager extends ViewManager { * can use {@link #FLAG_ALT_FOCUSABLE_IM} to modify this behavior. */ public static final int FLAG_NOT_FOCUSABLE = 0x00000008; - /** Window flag: this window can never receive touch events. */ + /** + * Window flag: this window can never receive touch events. + * + *

The intention of this flag is to leave the touch to be handled by some window below + * this window (in Z order). + * + *

Starting from Android {@link Build.VERSION_CODES#S}, for security reasons, touch + * events that pass through windows containing this flag (ie. are within the bounds of the + * window) will only be delivered to the touch-consuming window if one (or more) of the + * items below are true: + *

    + *
  1. Same UID: This window belongs to the same UID that owns the touch-consuming + * window. + *
  2. Trusted windows: This window is trusted. Trusted windows include (but are + * not limited to) accessibility windows ({@link #TYPE_ACCESSIBILITY_OVERLAY}), the IME + * ({@link #TYPE_INPUT_METHOD}) and assistant windows (TYPE_VOICE_INTERACTION). Windows of + * type {@link #TYPE_APPLICATION_OVERLAY} are not trusted, see below. + *
  3. Invisible windows: This window is {@link View#GONE} or + * {@link View#INVISIBLE}. + *
  4. Fully transparent windows: This window has {@link LayoutParams#alpha} equal + * to 0. + *
  5. One SAW window with enough transparency: This window is of type {@link + * #TYPE_APPLICATION_OVERLAY}, has {@link LayoutParams#alpha} below or equal to 0.8 + * and it's the only window of type {@link #TYPE_APPLICATION_OVERLAY} from this UID + * in the touch path. + *
  6. Multiple SAW windows with enough transparency: The multiple overlapping + * {@link #TYPE_APPLICATION_OVERLAY} windows in the + * touch path from this UID have a combined obscuring opacity below or equal to + * 0.8. See section below on how to compute this value. + *
+ *

If none of these cases hold, the touch will not be delivered and a message will be + * logged to logcat.

+ * + * + *

Combined obscuring opacity

+ * + *

The combined obscuring opacity of a set of windows is obtained by combining the + * opacity values of all windows in the set using the associative and commutative operation + * defined as: + * 

+         * opacity({A,B}) = 1 - (1 - opacity(A))*(1 - opacity(B))
+         *
+ *

where {@code opacity(X)} is the {@link LayoutParams#alpha} of window X. So, for a set + * of windows {@code {W1, .., Wn}}, the combined obscuring opacity will be: + * 

+         * opacity({W1, .., Wn}) = 1 - (1 - opacity(W1)) * ... * (1 - opacity(Wn))
+         *
+ */ public static final int FLAG_NOT_TOUCHABLE = 0x00000010; /** Window flag: even when this window is focusable (its -- cgit v1.2.3