Merge pull request #9 from apache/master

fix: add WebViewAssetloader to default allow list (apache#1275)
sakibguy · Jul 15, 2021 · 6e055e0 · 6e055e0
2 parents 119cfdc + 9d3d8d0
commit 6e055e0
Show file tree

Hide file tree

Showing 4 changed files with 371 additions and 366 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [10.x, 12.x, 14.x, 16.x]
+        node-version: [12.x, 14.x, 16.x]
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:

diff --git a/framework/src/org/apache/cordova/AllowListPlugin.java b/framework/src/org/apache/cordova/AllowListPlugin.java
@@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one
 import org.apache.cordova.ConfigXmlParser;
 import org.apache.cordova.LOG;
 import org.apache.cordova.AllowList;
+import org.apache.cordova.CordovaPreferences;
 import org.xmlpull.v1.XmlPullParser;
 
 import android.content.Context;
@@ -73,12 +74,19 @@ public void pluginInitialize() {
     }
 
     private class CustomConfigXmlParser extends ConfigXmlParser {
+        private CordovaPreferences prefs = new CordovaPreferences();
+
         @Override
         public void handleStartTag(XmlPullParser xml) {
             String strNode = xml.getName();
             if (strNode.equals("content")) {
                 String startPage = xml.getAttributeValue(null, "src");
                 allowedNavigations.addAllowListEntry(startPage, false);
+
+                // Allow origin for WebViewAssetLoader
+                if (!this.prefs.getBoolean("AndroidInsecureFileModeEnabled", false)) {
+                    allowedNavigations.addAllowListEntry("https://" + this.prefs.getString("hostname", "localhost"), false);
+                }
             } else if (strNode.equals("allow-navigation")) {
                 String origin = xml.getAttributeValue(null, "href");
                 if ("*".equals(origin)) {