Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you visit arbitrary websites using such webviews? I never managed to.

And IIRC it's rather difficult to set up a webview that allows multiple domains or URLs (but I'm no android dev, and the last time I had to fiddle with this, was years ago)



The reason it works here is that this particular webview opens a Google page that links to Google.com. There is no address bar so any safe browsing enforcement will make it at least two steps harder to access most had content.

Blocking external domains shouldn't be that hard, but I also don't think parental controls are of any interest or priority for most app developers.


Last time I fiddled with it, was when we moved domains and our webviews stopped working. They i) did not follow the redirects we had in place, and ii) did not allow loading the new URL without whiltelisting that domain/url somewhere in the source-code.

IIRC whitelisting was the default in webviews; not sure if it still is, or if our expert Android dev configured it this way, but even getting a build that allowed to load content from our new domain required a new build. (Let alone that someone, even if we had links or such in our about.html, would be able to navigate there).


Please use "allowlist" instead of "wh_telist".


huh? why? is there a bot checking for this word? will it get someone in trouble?


It'd be pretty simple to enforce sandbox/parental controls for the integrated webview browser.

1. Just limit the webview browser location to the same list as allowed by the parental control.

2. By default limit the webview browser location to the domain first opened by the app i.e locked to a single domain by default.

3. Allow webview browser to be expanded via a regex/pattern list of domains.

4. Limit the number of webview browser location changes so even if you can access a search engine with a global domain allowlist, it would just return to the first page after N window.location changes.

There's plenty of introspection you can do via JS (which is already being used to set/inject that `mm` object), it could even check for certain DOM elements, HTTPS fingerprint, etc. to determine if the page is an "intended" destination for the particular integrated webview browser.


you forgot the reason webview exists! advertisement click's attribution.


It's possible. I remember one app that opened a webview to their terms of use page, which somewhere had a link to a Google page, which I could use to go to Google search. So, no direct URL input, but you could go to any website indexed.


IIRC webview, by default, requires a dev to whitelist domains. Maybe that has changed, IDK.

But finding an example where you can navigate elsewhere is not proof that all webviews are broken; maybe they have this "security issue" by default and allow a dev to tighten it (bad sec. practice IMO), and maybe android versions or SDK-versions differ in how they adhere, IDK. But the times that I encountered this and fiddled with it, it was a PIAS to even allow loading a page from another domain.


Or find a website like the mobile JS console people mentioned in this thread to link yourself anywhere, indexed or not




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: