AddJavascriptInterface Lint Check
597 views
Skip to first unread message
Scott Olcott
Aug 21, 2014, 4:48:31 PM8/21/14
to adt...@googlegroups.com
I am getting a lint error when I call WebView.addJavaScriptInterface even though I wrap it in a check to make sure that it only runs on API 17 or above. The lint description says
WebView.addJavascriptInterface should not be called with minSdkVersion < 17 for security reasons: JavaScript can use reflection to manipulate application
While the documentation at http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String) says
The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later.
These two descriptions seem to contradict each other the lint check says we should only use it if minSdkVersion < 17 while the javadoc says targetSdkVersion >= 17 and make sure you don't call it on devices < 17. Which one is correct? I've heard of certain features or behaviors only being enabled when you change your targetSdkVersion but never when you change your minSdkVersion
Michael Wright
Aug 21, 2014, 4:56:15 PM8/21/14
to adt...@googlegroups.com
I suggest you re-read the warnings. The lint says it SHOULD NOT be called if minSdk < 17. The documentation says it SHOULD ONLY be called on 4.2 and later (i.e. minSdk >= 17).
--
You received this message because you are subscribed to the Google Groups "adt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to adt-dev+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Scott Olcott
Aug 21, 2014, 5:22:45 PM8/21/14
to adt...@googlegroups.com, mdwr...@ncsu.edu
I read it and I checked the code at https://android.googlesource.com/platform/tools/base/+/master/lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/AddJavascriptInterfaceDetector.java. It skips this check if
if (context.getMainProject().getMinSdk() >= 17) {
return;
}
According to the javadoc on the method it should be checking targetSdkVersion set in build.gradle is >=17 not minSdkVersion >=17. The application code should then make sure it doesn't run on devices < API 17.
Reply all
Reply to author
Forward
0 new messages