[webview_flutter] [url_launcher] Handle Multiwindows in WebViews

[bparrishMines]

Related Issues

Internal bug: b/159892679

Checklist

Before you create this PR confirm that it meets all requirements listed below by checking the relevant checkboxes ([x]). This will ensure a smooth and quick review process.

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• My PR includes unit or integration tests for all changed/updated/fixed behaviors (See Contributor Guide).
• All existing and new tests are passing.
• I updated/added relevant documentation (doc comments with ///).
• The analyzer (flutter analyze) does not report any problems on my PR.
• I read and followed the Flutter Style Guide.
• The title of the PR starts with the name of the plugin surrounded by square brackets, e.g. [shared_preferences]
• I updated pubspec.yaml with an appropriate new version according to the pub versioning philosophy.
• I updated CHANGELOG.md to add a description of the change.
• I signed the CLA.
• I am willing to follow-up on review comments in a timely manner.

Breaking Change

Does your PR require plugin users to manually update their apps to accommodate your change?

• Yes, this is a breaking change (please indicate a breaking change in CHANGELOG.md and increment major revision).
• No, this is not a breaking change.

[amirh]

Not sure I understand this part, it seems like we're creating a new WebViewClient type and delegate some of the calls to the existing flutterWebViewClient, do we not want all functionality implemented by FlutterWebViewClient to work for the new WebView as well? (e.g should we not just use FlutterWebViewClient as the client for the new webview?)

[bparrishMines]

I assumed that we only wanted the new WebView to filter out non https/http calls and load any secure url. I'm not sure what else we would need it to do? Im assuming you're talking about returning WebResourceErrors and onPageStarted/onPageFinished callbacks. Won't our FlutterWebViewClient receive these after we call loadUrl?

[amirh]

Not sure I follow the logic here, can you comment on why we only delegate calls for http and https URLs?

[blasten]

this can be addressed by resolving https://github.com/flutter/plugins/pull/2991/files#r483177693

[amirh]

I was a little confused by the name isSecure, my initial guess when looking on the call site would have been "is it https"? though I'm not sure even why we're checking on this condition here.

[blasten]

what API needs this particular version?

[bparrishMines]

This method should only be called in Android API 24+: https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideKeyEvent(android.webkit.WebView,%20android.view.KeyEvent)

However, WebResourceRequest.getUrl() is only available in Android API 21: https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideKeyEvent(android.webkit.WebView,%20android.view.KeyEvent)

[blasten]

understood

[blasten]

I would suggest we rename this as: isJavaScriptScheme(String url) and check for url.startsWith("javascript:"). Link to https://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-03 would be useful too.

[bparrishMines]

I would only do this after we get an ok from the internal team. This method is currently just following their suggestion.

[amirh]

Does invoking shouldOVerrideUrlLoading has a side effect of loading the URL? It seems like our implementation of shouldOVerrideUrlLoading introduces such a side effect on older webview versions only if a navigation delegate is set. Does this work when no navigation delegate is set?

[bparrishMines]

I added a test, so it does still work without a navigation delegate.

[bparrishMines]

@amirh @blasten is this ready to land?

[blasten]

this one is good, but what about a test case like the one in the internal doc?

[bparrishMines]

I'm not sure how to do a test like that. I would need to load a link that tries to open a window and test to see if javascript ran?

[blasten]

LGTM + nit about adding test case

[blasten]

this document needs to be inside the <iframe>

[blasten]

onLoad isn't defined. Actually, you might be able to remove the setTimeout and just define:

function onLoad() {
  window.open('javascript:var elem = document.createElement("p");elem.innerHTML = "<b>Executed JS in parent origin: "+window.location.origin+"</b>"; document.body.append(elem);alert("XSS in doc.domain: "+document.domain+", win.origin: "+window.location.origin)');
}

[blasten]

This might be racy.

How do we know that the code inside the iframe has run at this point? One solution is to add a onLoad handler to iframe and set some global state once the event has fired. e.g. window.iframeLoaded = true. Then, at this point check that window.iframeLoaded is true and document.querySelector("p") && document.querySelector("p").textContent is empty.

[blasten]

I was thinking something like this:

expect(controller.evaluateJavascript('iframeLoaded'), completion('true'));

expect(controller.evaluateJavascript('document.querySelector("p") && document.querySelector("p").textContent'), isEmpty);

[bparrishMines]

Actually, when iframeLoaded was false, it returned 'false', but I understand what you mean. done

[blasten]

uber nit: resize test -> XSS test

[blasten]

LGTM! Thanks for the test.