From 486262b1423a635a1c1696dcbb885db56a57486b Mon Sep 17 00:00:00 2001 From: Maciej Miszczyk Date: Tue, 14 Jan 2020 10:25:30 +0100 Subject: [PATCH 1/3] Add the possibility to disallow subdomains --- .../java/im/delight/android/webview/AdvancedWebView.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java b/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java index b5a9353..e456dd1 100644 --- a/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java +++ b/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java @@ -1106,8 +1106,12 @@ protected static String makeUrlUnique(final String url) { return unique.toString(); } - + public boolean isPermittedUrl(final String url) { + isPermittedUrl(url, true) + } + + public boolean isPermittedUrl(final String url, boolean allowSubdomains) { // if the permitted hostnames have not been restricted to a specific set if (mPermittedHostnames.size() == 0) { // all hostnames are allowed @@ -1142,7 +1146,7 @@ public boolean isPermittedUrl(final String url) { // for every hostname in the set of permitted hosts for (String expectedHost : mPermittedHostnames) { // if the two hostnames match or if the actual host is a subdomain of the expected host - if (actualHost.equals(expectedHost) || actualHost.endsWith("." + expectedHost)) { + if (actualHost.equals(expectedHost) || (allowSubdomains && actualHost.endsWith("." + expectedHost))) { // the actual hostname of the URL to be checked is allowed return true; } From a5be4d6cfd439539328c6b1d36fefa445833a871 Mon Sep 17 00:00:00 2001 From: Maciej Miszczyk Date: Tue, 14 Jan 2020 10:32:03 +0100 Subject: [PATCH 2/3] Add configuration option of disallowing subdomains --- .../im/delight/android/webview/AdvancedWebView.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java b/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java index b5a9353..bfc8977 100644 --- a/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java +++ b/Source/library/src/main/java/im/delight/android/webview/AdvancedWebView.java @@ -80,6 +80,7 @@ public interface Listener { protected WeakReference mActivity; protected WeakReference mFragment; protected Listener mListener; + protected boolean mAllowSubdomains = true; protected final List mPermittedHostnames = new LinkedList(); /** File upload callback for platform versions prior to Android 5.0 */ protected ValueCallback mFileUploadCallbackFirst; @@ -340,6 +341,14 @@ public void addHttpHeader(final String name, final String value) { public void removeHttpHeader(final String name) { mHttpHeaders.remove(name); } + + public void setAllowSubdomains(boolean b){ + mAllowSubdomains = b; + } + + public boolean getAllowSubdomains(){ + return mAllowSubdomains; + } public void addPermittedHostname(String hostname) { mPermittedHostnames.add(hostname); @@ -503,7 +512,7 @@ public void onReceivedError(WebView view, int errorCode, String description, Str @Override public boolean shouldOverrideUrlLoading(final WebView view, final String url) { - if (!isPermittedUrl(url)) { + if (!isPermittedUrl(url, mAllowSubdomains)) { // if a listener is available if (mListener != null) { // inform the listener about the request From 1b339d9e4e1ab4410d262865646ef7a4464e4b9b Mon Sep 17 00:00:00 2001 From: Maciej Miszczyk Date: Tue, 14 Jan 2020 11:55:37 +0100 Subject: [PATCH 3/3] Document subdomain settings in readme --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 96ba99d..c6bf9ef 100644 --- a/README.md +++ b/README.md @@ -394,6 +394,13 @@ If you want to serve sites or just single resources over plain `http` instead of } ``` + + * Stricter whitelist matching (allow only specified domains, without subdomains): + + ```java + mWebView.addPermittedHostname("example.org"); // will match example.org, www.example.org, example2.example.org, etc. + mWebView.setAllowSubdomains(false); // will only match example.org + ``` ## Contributing