New issue
Advanced search Search tips

Issue 833942 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Bug



Sign in to add a comment

Ensure that WebView's policy about cleartext connections to localhost aligns with Android's general policy.

Project Member Reported by gsennton@chromium.org, Apr 17 2018

Issue description

Related issue: b/77282922

A WebView CTS test recently started failing because the test needed to declare a manifest-flag to be allowed to open a cleartext connection to localhost.
We should double-check that WebView and Android agree on whether cleartext connections to localhost are OK without the manifest flag. 
 
Cc: ntfschr@chromium.org
As I understood, usesCleartextTraffic defaults to "true" to allow apps to use cleartext. Apps may optionally specify "false" to forbid cleartext. We changed WebView [1] to honor when this is "false" for apps targeting >= 26 [2].

I don't see why you needed to add that attribute, unless the attribute was inherited from something else.

[1] https://cs.chromium.org/chromium/src/android_webview/glue/java/src/com/android/webview/chromium/WebViewChromiumAwInit.java?type=cs&q=lang:java+f:android_webview+AwContentsStatics.setCheckClearTextPermitted&sq=package:chromium&l=282
[2] https://developer.android.com/guide/topics/manifest/application-element.html#usesCleartextTraffic

Comment 2 by torne@chromium.org, Apr 24 2018

Status: WontFix (was: Available)
Apps that target P will default to disallowing cleartext, and the CTS tests are always built to target the current version. The test started failing when this default policy was implemented.

WebView and Android do agree - another android thread confirmed that the rest of android does not special-case localhost and requires a network security policy to be specified if you want to exempt it (which is preferable to enabling cleartext entirely in real code - just setting it was fine to fix the test here though).

Sign in to add a comment