From fa3ab7d7aa9e769e9a3b3ce4b02db8d590c738b0 Mon Sep 17 00:00:00 2001
From: Erisu <ellis.bryan@gmail.com>
Date: Thu, 26 Aug 2021 17:47:27 +0900
Subject: [PATCH 1/3] fix(PluginManager): AllowBridgeAccess to handle scheme &
 hostname

---
 .../src/org/apache/cordova/PluginManager.java | 26 ++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/framework/src/org/apache/cordova/PluginManager.java b/framework/src/org/apache/cordova/PluginManager.java
index 3728879c9b..4df978f95c 100755
--- a/framework/src/org/apache/cordova/PluginManager.java
+++ b/framework/src/org/apache/cordova/PluginManager.java
@@ -41,6 +41,12 @@ Licensed to the Apache Software Foundation (ASF) under one
  */
 public class PluginManager {
     private static String TAG = "PluginManager";
+
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String SCHEME_HTTPS = "https";
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String DEFAULT_HOSTNAME = "localhost";
+
     private static final int SLOW_EXEC_WARNING_THRESHOLD = Debug.isDebuggerConnected() ? 60 : 16;
 
     // List of service entries
@@ -366,6 +372,24 @@ public void onNewIntent(Intent intent) {
         }
     }
 
+    /**
+     * @todo should we move this somewhere public and accessible by all plugins?
+     * For now, it is placed where it is used and kept private so we can decide later and move without causing a breaking change.
+     * An ideal location might be in the "ConfigXmlParser" at the time it generates the "launchUrl".
+     *
+     * @todo should we be restrictive on the "file://" return? e.g. "file:///android_asset/www/"
+     * Would be considered as a breaking change if we apply a more granular check.
+     */
+    private String getLaunchUrlPrefix() {
+        if (!app.getPreferences().getBoolean("AndroidInsecureFileModeEnabled", false)) {
+            String scheme = app.getPreferences().getString("scheme", SCHEME_HTTPS).toLowerCase();
+            String hostname = app.getPreferences().getString("hostname", DEFAULT_HOSTNAME);
+            return scheme + "://" + hostname + '/';
+        }
+
+        return "file://";
+    }
+
     /**
      * Called when the webview is going to request an external resource.
      *
@@ -452,7 +476,7 @@ public boolean shouldAllowBridgeAccess(String url) {
         }
 
         // Default policy:
-        return url.startsWith("file://");
+        return url.startsWith(getLaunchUrlPrefix());
     }
 
     /**

From fa5b228bb9cefca36d92df3c80bb6bbc42672377 Mon Sep 17 00:00:00 2001
From: Erisu <ellis.bryan@gmail.com>
Date: Tue, 31 Aug 2021 11:45:55 +0900
Subject: [PATCH 2/3] fix(AllowListPlugin): add scheme & hostname as allowed
 navigation

---
 .../org/apache/cordova/AllowListPlugin.java   | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/framework/src/org/apache/cordova/AllowListPlugin.java b/framework/src/org/apache/cordova/AllowListPlugin.java
index 3333180745..f6de940827 100644
--- a/framework/src/org/apache/cordova/AllowListPlugin.java
+++ b/framework/src/org/apache/cordova/AllowListPlugin.java
@@ -32,6 +32,11 @@ public class AllowListPlugin extends CordovaPlugin {
     public static final String PLUGIN_NAME = "CordovaAllowListPlugin";
     protected static final String LOG_TAG = "CordovaAllowListPlugin";
 
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String SCHEME_HTTPS = "https";
+    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
+    private static String DEFAULT_HOSTNAME = "localhost";
+
     private AllowList allowedNavigations;
     private AllowList allowedIntents;
     private AllowList allowedRequests;
@@ -69,7 +74,17 @@ public void pluginInitialize() {
             this.allowedIntents = new AllowList();
             this.allowedRequests = new AllowList();
 
-            new CustomConfigXmlParser().parse(webView.getContext());
+            ConfigXmlParser pref = new CustomConfigXmlParser();
+            pref.parse(webView.getContext());
+
+            if (!this.preferences.getBoolean("AndroidInsecureFileModeEnabled", false)) {
+                String scheme = this.preferences.getString("scheme", SCHEME_HTTPS).toLowerCase();
+                String hostname = this.preferences.getString("hostname", DEFAULT_HOSTNAME);
+                String origin = scheme + "://" + hostname + "/*";
+
+                LOG.d(LOG_TAG, "Adding to Allowed Navigation: " + origin);
+                this.allowedNavigations.addAllowListEntry(origin, false);
+            }
         }
     }
 
@@ -82,11 +97,6 @@ public void handleStartTag(XmlPullParser xml) {
             if (strNode.equals("content")) {
                 String startPage = xml.getAttributeValue(null, "src");
                 allowedNavigations.addAllowListEntry(startPage, false);
-
-                // Allow origin for WebViewAssetLoader
-                if (!this.prefs.getBoolean("AndroidInsecureFileModeEnabled", false)) {
-                    allowedNavigations.addAllowListEntry("https://" + this.prefs.getString("hostname", "localhost"), false);
-                }
             } else if (strNode.equals("allow-navigation")) {
                 String origin = xml.getAttributeValue(null, "href");
                 if ("*".equals(origin)) {

From ac3670587e0d542138886525c97795da0640e5d1 Mon Sep 17 00:00:00 2001
From: Erisu <ellis.bryan@gmail.com>
Date: Tue, 31 Aug 2021 12:16:36 +0900
Subject: [PATCH 3/3] chore(AllowListPlugin): remove scheme+hostname allow
 navigation. use default policy from PluginManager

---
 .../src/org/apache/cordova/AllowListPlugin.java | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/framework/src/org/apache/cordova/AllowListPlugin.java b/framework/src/org/apache/cordova/AllowListPlugin.java
index f6de940827..328a9b83f1 100644
--- a/framework/src/org/apache/cordova/AllowListPlugin.java
+++ b/framework/src/org/apache/cordova/AllowListPlugin.java
@@ -32,11 +32,6 @@ public class AllowListPlugin extends CordovaPlugin {
     public static final String PLUGIN_NAME = "CordovaAllowListPlugin";
     protected static final String LOG_TAG = "CordovaAllowListPlugin";
 
-    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
-    private static String SCHEME_HTTPS = "https";
-    // @todo same as ConfigXmlParser. Research centralizing ideas, maybe create CordovaConstants
-    private static String DEFAULT_HOSTNAME = "localhost";
-
     private AllowList allowedNavigations;
     private AllowList allowedIntents;
     private AllowList allowedRequests;
@@ -74,17 +69,7 @@ public void pluginInitialize() {
             this.allowedIntents = new AllowList();
             this.allowedRequests = new AllowList();
 
-            ConfigXmlParser pref = new CustomConfigXmlParser();
-            pref.parse(webView.getContext());
-
-            if (!this.preferences.getBoolean("AndroidInsecureFileModeEnabled", false)) {
-                String scheme = this.preferences.getString("scheme", SCHEME_HTTPS).toLowerCase();
-                String hostname = this.preferences.getString("hostname", DEFAULT_HOSTNAME);
-                String origin = scheme + "://" + hostname + "/*";
-
-                LOG.d(LOG_TAG, "Adding to Allowed Navigation: " + origin);
-                this.allowedNavigations.addAllowListEntry(origin, false);
-            }
+            new CustomConfigXmlParser().parse(webView.getContext());
         }
     }