BREAKING CHANGE:
This release introduces the `setSupportMultipleWindows` prop for Android. This sets the underlying Android WebView setting `setSupportMultipleWindows`. This prop defaults to `true` (previously `false`), and serves to mitigate the security advisory [CVE-2020-6506](https://github.com/react-native-webview/react-native-webview/security/advisories/GHSA-36j3-xxf7-4pqg).
The primary way this new behavior changes existing React Native WebView implementations on Android is that links that open in new tabs/windows (such as `<a target="_blank">`) will now prompt to open in the system browser, rather than re-using the current WebView.
If this behavior is not desirable, you can set this new prop to `false`, but be aware that this exposes your app to the security vulnerability listed above. Make sure you have read and understand the whole advisory and relevant links.
iOS & Windows are unaffected.
```jsx
<WebView
// ...
setSupportMultipleWindows={true} // default: true
/>
```
Thanks to @mrcoinbase, @kelset, and @Titozzz for their work on this.
* Update SSL error handling for Android WebView
Update SSL error handling to call onReceivedError() only on top-level navigations. This prevents iframes and other subresources from causing user-visible SSL error messages. The desired behavior is only to have top-level navigations show user-visible error messages. All other requests should be cancelled automatically with no user-visible error message.
* Update RNCWebViewManager.java
Clarify comments and add warning on blocked subresource
Co-authored-by: Thibault Malbranche <thibault.malbranche@epitech.eu>
This solves a class of issues when the WebView loses "context"
that a subsequent page load is the same as what was attempted
to be loaded previously. This solves a bug where a HTTP redirect
in combination with history manipulations causes a user to be
stuck and prevented from going back. Since WebView requests are
allowed to happen normally, debugging the WebView and tracking
redirects and page load initiators is more accurate and easier.
This will also bypass bridge latency and provide a faster navigation.
To do this, we must lock in the shouldOverrideUrlLoading callback
and send an event to JS. Currently, this callback is ran on
the main UI thread, of which we have no control over. This is
problematic as using the bridge in most ways seems to require
the main UI thread, which will cause a deadlock. However, using
BatchedBridge for Java->JS and a synchronous method for JS->Java
doesn't cause any problems. Additionally, it's been designed so
that if WebView suddenly runs the callback on a different thread
allowing for concurrency, it will continue to work.
* Add isTopFrame to shouldStartLoadForRequest on iOS
onLoadingStart is not raised for inner frames, but onShouldStartLoadWithRequest still is. This keeps that behavior but adds isTopFrame to onShouldStartLoadWithRequest so that apps can perform their own filtering if desired.
* Update docs
Co-authored-by: Jamon Holmgren <jamonholmgren@gmail.com>
Co-authored-by: Jason Kelly <jason.kelly@isobar.com>
Co-authored-by: Jamon Holmgren <jamonholmgren@gmail.com>
Co-authored-by: Jason Safaiyeh <safaiyeh@protonmail.com>
BREAKING CHANGE:
The Android Gradle plugin is only required when opening the project stand-alone, not when it is included as a dependency. By doing this, the project opens correctly in Android Studio, and it can also be consumed as a native module dependency from an application project without affecting the app project (avoiding unnecessary downloads/conflicts/etc).
Also moved getExtOrDefault to buildScript block to able to use everywhere in the file
This change shouldn't break any apps, but we are marking it as a breaking change in case there are some use cases we've missed.
[skip ci]
There is a bug in the WebView that causes a spurious call to onReceivedError
whenever you download a file.
This commit is a workaround for that bug. The idea here is to try and detect
these spurious errors and drop them before they cause problems.
This commit should be reverted once those chromium bugs are fixed.
* Ensure each mounted WebView binds their personal onMessage handler
* Changed unique ref generation to uuid
Uses `uuid` npm package.
Dashes are removed from the ref for sanity.
* Don't show camera options for a file upload that would result in nothing happening for the user.
On Android, if the application declares the camera permission, then even intents
that use the camera require permission to be granted. This is a problem for apps
that combine an in-app camera with a WebView that has file uploading and the user
has not given permission for the camera.
Note, this will not request permission for camera. This will simply prevent
showing the camera options that would be a no-op action for users. It does this
by checking if the camera permission is declared, and if so, checks that the
user has granted permission.
More information: https://blog.egorand.me/taking-photos-not-so-simply-how-i-got-bitten-by-action_image_capture/
* Add example and documentation about camera option availability in file uploads for Android.
* Filter out extra onLoadProgress calls; add url to onLoadProgress
* remove note about onLoadProgress not having the url property in docs
* Update Reference.md
Each time building our app, this library causes a message like this
one to be printed, sometimes twice:
> Configure project :react-native-webview
:react-native-webview:reactNativeAndroidRoot /home/greg/z/mobile/node_modules/react-native/android
Worse, the message comes through even if I silence all normal
progress messages and warnings, with `./gradlew --quiet`.
It turns out that the `logger.quiet` method which these log lines are
using has a confusing name. It doesn't mean "log quietly", but more
like the opposite: "log even when asked to keep things quiet". See
documentation on Gradle log levels:
https://docs.gradle.org/current/userguide/logging.html
So, remove the noise by switching to `logger.info`. This avoids
bothering the user by default, and keeps the information readily
available if desired by passing `--info` to Gradle.
Sampo Juustila
Mrinal Maheshwari
Gaurav Gupta
crasyboy42
Cristiano Coelho
Christian Nilsson
Lorenzo Sciandra
Harsh Chokshi
Alesandro Ortiz
Daniel Vicory
oliviacaraiman
Caleb Clarke
Jason Kelly
Rinku Kumari
Salvatore Randazzo
Jacob Müller
michael hancock
Jason Chia-Hsien Ho
Karthik Subramaniam
trcoffman
Thibault Malbranche
Benjamin Rau
SaeedZhiany
trcoffman
ivari
Dulmandakh
hanlh1
Conner Owen
Vladimir
Andrei Pfeiffer
Nikhil Chitlur Navakiran
Stanislav Shakirov
thanakij
Tom Targosz
Borut Balazek
Andres Castano
Tyler Alves
masako-yamada
Greg Price
tekmin