diff options
| author | 2014-08-13 16:17:49 +0000 | |
|---|---|---|
| committer | 2014-08-13 16:17:49 +0000 | |
| commit | b369ff7b389e1032b0200c2b5564e85532e05a16 (patch) | |
| tree | ca7e7ae4634e4163694b1bbc623d45eeacb8b733 | |
| parent | ceb4d418464d1b72c450c5e390b1cc7b1f92a49f (diff) | |
| parent | 84f00277b11a0324f0dd08054b119f2a61f1e646 (diff) | |
am 84f00277: am 9ada140f: am efbbb182: Merge "cherrypick from klp-docs docs: security consideration for Android <4.2 Change-Id: I5fe51641539f7ffe7abcdb0618371dd3f4b62ab5" into klp-modular-docs
* commit '84f00277b11a0324f0dd08054b119f2a61f1e646':
cherrypick from klp-docs docs: security consideration for Android <4.2 Change-Id: I5fe51641539f7ffe7abcdb0618371dd3f4b62ab5
| -rw-r--r-- | core/java/android/webkit/WebView.java | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/core/java/android/webkit/WebView.java b/core/java/android/webkit/WebView.java index e07a6e3d9081..1b0cb3d8caac 100644 --- a/core/java/android/webkit/WebView.java +++ b/core/java/android/webkit/WebView.java @@ -1730,9 +1730,12 @@ public class WebView extends AbsoluteLayout * <ul> * <li> This method can be used to allow JavaScript to control the host * application. This is a powerful feature, but also presents a security - * risk for applications targeted to API level - * {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or below, because - * JavaScript could use reflection to access an + * risk for apps targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or earlier. + * Apps that target a version later than {@link android.os.Build.VERSION_CODES#JELLY_BEAN} + * are still vulnerable if the app runs on a device running Android earlier than 4.2. + * The most secure way to use this method is to target {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1} + * and to ensure the method is called only when running on Android 4.2 or later. + * With these older versions, JavaScript could use reflection to access an * injected object's public fields. Use of this method in a WebView * containing untrusted content could allow an attacker to manipulate the * host application in unintended ways, executing Java code with the @@ -1740,7 +1743,8 @@ public class WebView extends AbsoluteLayout * method in a WebView which could contain untrusted content.</li> * <li> JavaScript interacts with Java object on a private, background * thread of this WebView. Care is therefore required to maintain thread - * safety.</li> + * safety. + * </li> * <li> The Java object's fields are not accessible.</li> * <li> For applications targeted to API level {@link android.os.Build.VERSION_CODES#L} * and above, methods of injected Java objects are enumerable from |