fix(android): Update SSL error handling (#1466)

* Update SSL error handling for Android WebView

Update SSL error handling to call onReceivedError() only on top-level navigations. This prevents iframes and other subresources from causing user-visible SSL error messages. The desired behavior is only to have top-level navigations show user-visible error messages. All other requests should be cancelled automatically with no user-visible error message.

* Update RNCWebViewManager.java

Clarify comments and add warning on blocked subresource

Co-authored-by: Thibault Malbranche <thibault.malbranche@epitech.eu>
This commit is contained in:
Alesandro Ortiz 2020-10-22 03:35:31 -04:00 committed by GitHub
parent 1bc38da53f
commit ef48d35e95
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 1 deletions

View File

@ -868,10 +868,25 @@ public class RNCWebViewManager extends SimpleViewManager<WebView> {
@Override @Override
public void onReceivedSslError(final WebView webView, final SslErrorHandler handler, final SslError error) { public void onReceivedSslError(final WebView webView, final SslErrorHandler handler, final SslError error) {
// onReceivedSslError is called for most requests, per Android docs: https://developer.android.com/reference/android/webkit/WebViewClient#onReceivedSslError(android.webkit.WebView,%2520android.webkit.SslErrorHandler,%2520android.net.http.SslError)
// WebView.getUrl() will return the top-level window URL.
// If a top-level navigation triggers this error handler, the top-level URL will be the failing URL (not the URL of the currently-rendered page).
// This is desired behavior. We later use these values to determine whether the request is a top-level navigation or a subresource request.
String topWindowUrl = webView.getUrl();
String failingUrl = error.getUrl();
// Cancel request after obtaining top-level URL.
// If request is cancelled before obtaining top-level URL, undesired behavior may occur.
// Undesired behavior: Return value of WebView.getUrl() may be the current URL instead of the failing URL.
handler.cancel(); handler.cancel();
if (!topWindowUrl.equalsIgnoreCase(failingUrl)) {
// If error is not due to top-level navigation, then do not call onReceivedError()
Log.w("RNCWebViewManager", "Resource blocked from loading due to SSL error. Blocked URL: "+failingUrl);
return;
}
int code = error.getPrimaryError(); int code = error.getPrimaryError();
String failingUrl = error.getUrl();
String description = ""; String description = "";
String descriptionPrefix = "SSL error: "; String descriptionPrefix = "SSL error: ";