fix(PluginManager): AllowBridgeAccess to handle scheme & hostname

apache · Aug 26, 2021 · fa3ab7d · fa3ab7d
1 parent dc4e065
commit fa3ab7d
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/framework/src/org/apache/cordova/PluginManager.java b/framework/src/org/apache/cordova/PluginManager.java
@@ -41,6 +41,12 @@ Licensed to the Apache Software Foundation (ASF) under one
  */
 public class PluginManager {
     private static String TAG = "PluginManager";
+
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String SCHEME_HTTPS = "https";
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String DEFAULT_HOSTNAME = "localhost";
+
     private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16;
 
     // List of service entries
@@ -366,6 +372,24 @@ public void onNewIntent(Intent intent) {
         }
     }
 
+    /**
+     * @todo should we move this somewhere public and accessible by all plugins?
+     * For now, it is placed where it is used and kept private so we can decide later and move without causing a breaking change.
+     * An ideal location might be in the "ConfigXmlParser" at the time it generates the "launchUrl".
+     *
+     * @todo should we be restrictive on the "file://" return? e.g. "file:///android_asset/www/"
+     * Would be considered as a breaking change if we apply a more granular check.
+     */
+    private String getLaunchUrlPrefix() {
+        if (!app.getPreferences().getBoolean("AndroidInsecureFileModeEnabled", false)) {
+            String scheme = app.getPreferences().getString("scheme", SCHEME_HTTPS).toLowerCase();
+            String hostname = app.getPreferences().getString("hostname", DEFAULT_HOSTNAME);
+            return scheme + "://" + hostname + '/';
+        }
+
+        return "file://";
+    }
+
     /**
      * Called when the webview is going to request an external resource.
      *
@@ -452,7 +476,7 @@ public boolean shouldAllowBridgeAccess(String url) {
         }
 
         // Default policy:
-        return url.startsWith("file://");
+        return url.startsWith(getLaunchUrlPrefix());
     }
 
     /**