diff options
| author | Robert Ly <robertly@google.com> | 2014-08-13 16:07:40 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2014-08-13 16:07:40 +0000 |
| commit | 9ada140fc1a8cb6dabc0b0951249cb7a46578c37 (patch) | |
| tree | 7ff42d5d22f452ce1564d4a4852b7ec2baf167a6 /core | |
| parent | a5365ed9dd080529609078c0b262e775ba3b460e (diff) | |
| parent | efbbb18241c8b74a2813b48af2aeff8f03fbe8e7 (diff) | |
| download | frameworks_base-9ada140fc1a8cb6dabc0b0951249cb7a46578c37.zip frameworks_base-9ada140fc1a8cb6dabc0b0951249cb7a46578c37.tar.gz frameworks_base-9ada140fc1a8cb6dabc0b0951249cb7a46578c37.tar.bz2 | |
am efbbb182: Merge "cherrypick from klp-docs docs: security consideration for Android <4.2 Change-Id: I5fe51641539f7ffe7abcdb0618371dd3f4b62ab5" into klp-modular-docs
* commit 'efbbb18241c8b74a2813b48af2aeff8f03fbe8e7':
cherrypick from klp-docs docs: security consideration for Android <4.2 Change-Id: I5fe51641539f7ffe7abcdb0618371dd3f4b62ab5
Diffstat (limited to 'core')
| -rw-r--r-- | core/java/android/webkit/WebView.java | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/core/java/android/webkit/WebView.java b/core/java/android/webkit/WebView.java index 93bf051..d307256 100644 --- a/core/java/android/webkit/WebView.java +++ b/core/java/android/webkit/WebView.java @@ -1637,9 +1637,12 @@ public class WebView extends AbsoluteLayout * <ul> * <li> This method can be used to allow JavaScript to control the host * application. This is a powerful feature, but also presents a security - * risk for applications targeted to API level - * {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or below, because - * JavaScript could use reflection to access an + * risk for apps targeting {@link android.os.Build.VERSION_CODES#JELLY_BEAN} or earlier. + * Apps that target a version later than {@link android.os.Build.VERSION_CODES#JELLY_BEAN} + * are still vulnerable if the app runs on a device running Android earlier than 4.2. + * The most secure way to use this method is to target {@link android.os.Build.VERSION_CODES#JELLY_BEAN_MR1} + * and to ensure the method is called only when running on Android 4.2 or later. + * With these older versions, JavaScript could use reflection to access an * injected object's public fields. Use of this method in a WebView * containing untrusted content could allow an attacker to manipulate the * host application in unintended ways, executing Java code with the @@ -1647,7 +1650,8 @@ public class WebView extends AbsoluteLayout * method in a WebView which could contain untrusted content.</li> * <li> JavaScript interacts with Java object on a private, background * thread of this WebView. Care is therefore required to maintain thread - * safety.</li> + * safety. + * </li> * <li> The Java object's fields are not accessible.</li> * </ul> * |