javascript - Can iframes inside my website can access the webview-js bridge object? -


for android app using webview render website , have created javscriptinterface object communicate app , website. want allow other users put iframe inside website, thinking whether these iframes can access js interface object ?

if possible how fix security issue ?

yes - javascript in webview has access same javascript interface, regardless of server comes from, because it's executed locally.

you can test running 2 python simplehttpserver instances on different ports on local network: considered different hosts (an xmlhttprequest example result in cross-origin request error), can still call methods javascript iframe coming different host.

so far have not been able find way circumvent this. android docs recommend "exposing addjavascriptinterface() javascript contained within application apk", no mention of how achieve this.

as java object passed on javascript, , of javascript executed within context of webview, guess android implementation of webview / webviewprovider provide such method, marshmallow's addjavascriptinterface() empty far java framework concerned (see webview.java , webviewprovider.java). didn't use be, maybe that's when security doc from.


Comments

Popular posts from this blog

python - Healpy: From Data to Healpix map -

c - Bitwise operation with (signed) enum value -

xslt - Unnest parent nodes by child node -