-
Notifications
You must be signed in to change notification settings - Fork 24.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
iOS only: Breaking Change: Restrict WebView to only http(s) URLs
Summary: To prevent people from linking file:// or other URLs inside RN WebViews, default <WebView> to not allowing those types of URLs. This adds the originWhitelist to specify other schemes or domains to be allowed. If the url is not allowed, it will be opened in Safari/by the OS instead. Reviewed By: yungsters Differential Revision: D7833203 fbshipit-source-id: 6881acd3b434d17910240e4edd585c0a10b5df8c
- Loading branch information
1 parent
cd48a61
commit 634e7e1
Showing
5 changed files
with
94 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
/** | ||
* Copyright (c) 2015-present, Facebook, Inc. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
* | ||
* @flow | ||
*/ | ||
'use strict'; | ||
|
||
const escapeStringRegexp = require('escape-string-regexp'); | ||
|
||
const WebViewShared = { | ||
defaultOriginWhitelist: ['http://*', 'https://*'], | ||
extractOrigin: (url: string): ?string => { | ||
const result = /^[A-Za-z0-9]+:(\/\/)?[^/]*/.exec(url); | ||
return result === null ? null : result[0]; | ||
}, | ||
originWhitelistToRegex: (originWhitelist: string): string => { | ||
return escapeStringRegexp(originWhitelist).replace(/\\\*/g, '.*'); | ||
}, | ||
}; | ||
|
||
module.exports = WebViewShared; |
41 changes: 41 additions & 0 deletions
41
Libraries/Components/WebView/__tests__/WebViewShared-test.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/** | ||
* Copyright (c) 2013-present, Facebook, Inc. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
* | ||
* @emails oncall+react_native | ||
*/ | ||
|
||
'use strict'; | ||
|
||
const WebViewShared = require('WebViewShared'); | ||
|
||
describe('WebViewShared', () => { | ||
it('extracts the origin correctly', () => { | ||
expect(WebViewShared.extractOrigin('http://facebook.com')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('https://facebook.com')).toBe('https://facebook.com'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com:8081')).toBe('http://facebook.com:8081'); | ||
expect(WebViewShared.extractOrigin('ftp://facebook.com')).toBe('ftp://facebook.com'); | ||
expect(WebViewShared.extractOrigin('myweirdscheme://')).toBe('myweirdscheme://'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com/')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com/longerurl')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com/http://facebook.com')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com//http://facebook.com')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('http://facebook.com//http://facebook.com//')).toBe('http://facebook.com'); | ||
expect(WebViewShared.extractOrigin('about:blank')).toBe('about:blank'); | ||
}); | ||
|
||
it('rejects bad urls', () => { | ||
expect(WebViewShared.extractOrigin('a/b')).toBeNull(); | ||
expect(WebViewShared.extractOrigin('a//b')).toBeNull(); | ||
}); | ||
|
||
it('creates a whitelist regex correctly', () => { | ||
expect(WebViewShared.originWhitelistToRegex('http://*')).toBe('http://.*'); | ||
expect(WebViewShared.originWhitelistToRegex('*')).toBe('.*'); | ||
expect(WebViewShared.originWhitelistToRegex('*//test')).toBe('.*//test'); | ||
expect(WebViewShared.originWhitelistToRegex('*/*')).toBe('.*/.*'); | ||
expect(WebViewShared.originWhitelistToRegex('*.com')).toBe('.*\\.com'); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
634e7e1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, what's the policy behind this limitations? What's offered in exchange? This change intend to force users to download assets used by webview at component initiation - what about larger files that can be downloaded in advance or even shipped with application? Can you ellaborate?