addJavascriptInterface() exists what about removeJavascriptInterface() ?
179 views
Skip to first unread message
David Goehrig
Feb 2, 2011, 11:24:04 AM2/2/11
to android-...@googlegroups.com
Hi,
I was wondering if anyone knew of a way to remove a javascript interface once attached to a WebView. As far as I can tell, once you attach a Javascript interface to any WebView, it is then made available to all nested contexts (iframes, object tags, etc), and all future contexts. I am well aware of the "cute" note in the documentation:
"Using addJavascriptInterface() allows JavaScript to control your application. This can be a very useful feature or a dangerous security issue. When the HTML in the WebView is untrustworthy (for example, part or all of the HTML is provided by some person or process), then an attacker could inject HTML that will execute your code and possibly any code of the attacker's choosing.
Do not use addJavascriptInterface() unless all of the HTML in this WebView was written by you."
Within a context it seems that you can overwrite the bridge object and replace it with a javascript value, but any subsequent context reacquires access to the Bridge, which is pretty much the exact opposite thing one would want and expect.
Options?
Dave
I was wondering if anyone knew of a way to remove a javascript interface once attached to a WebView. As far as I can tell, once you attach a Javascript interface to any WebView, it is then made available to all nested contexts (iframes, object tags, etc), and all future contexts. I am well aware of the "cute" note in the documentation:
"Using addJavascriptInterface() allows JavaScript to control your application. This can be a very useful feature or a dangerous security issue. When the HTML in the WebView is untrustworthy (for example, part or all of the HTML is provided by some person or process), then an attacker could inject HTML that will execute your code and possibly any code of the attacker's choosing.
Do not use addJavascriptInterface() unless all of the HTML in this WebView was written by you."
Within a context it seems that you can overwrite the bridge object and replace it with a javascript value, but any subsequent context reacquires access to the Bridge, which is pretty much the exact opposite thing one would want and expect.
Options?
Dave
Reply all
Reply to author
Forward
0 new messages