OOR-CORS: Add a document to android_webview/docs

Adding a cors-and-webview-api.md to give WebView and chromium developers detailed knowledge to keep the compatible CORS and Origin related behaviors. Bug: 1035366 Change-Id: Ia7695011ef4b04d528af523cd2a4a0a4503eff2e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2024652 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Nate Fischer <ntfschr@chromium.org> Cr-Commit-Position: refs/heads/master@{#736291}

OOR-CORS: Add a document to android_webview/docs
Adding a cors-and-webview-api.md to give WebView and chromium developers detailed knowledge to keep the compatible CORS and Origin related behaviors. Bug: 1035366 Change-Id: Ia7695011ef4b04d528af523cd2a4a0a4503eff2e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2024652 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Nate Fischer <ntfschr@chromium.org> Cr-Commit-Position: refs/heads/master@{#736291}
eab8297d · Takashi Toyoshima · Commit Bot · 8e3fef26 · eab8297d
Commit eab8297d authored Jan 29, 2020 by Takashi Toyoshima Committed by Commit Bot Jan 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 56 additions and 0 deletions

android_webview/docs/cors-and-webview-api.md android_webview/docs/cors-and-webview-api.md +56 -0

No files found.
--- a/android_webview/docs/cors-and-webview-api.md
+++ b/android_webview/docs/cors-and-webview-api.md
+# CORS and WebView API
+
+## What is CORS?
+
+[Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
+is a well-established security feature to protect data from unexpected
+cross-origin accesses.
+
+## Purpose of this document
+WebView provides some APIs that change the CORS behaviors, but details are not
+explained in the API documents. This document aims to clarify such detailed
+behaviors and implementation details to give WebView and chromium developers
+hints to keep consistent behaviors among making code changes.
+
+## Android or WebView specific features
+
+### intent:// URLs
+intent:// URLs are used to send an [Android Intent](https://developer.android.com/guide/components/intents-filters.html)
+via a web link. A site can provide an intent:// link for users so that users can
+launch an Android application through the link.
+See [Android Intents with Chrome](https://developer.chrome.com/multidevice/android/intents)
+for details.
+
+This is allowed only for the top-level navigation. If the site has a link to
+an intent:// URL for an iframe, such frame navigation will be just blocked.
+
+Also, the page can not use such intent:// URLs for sub-resources. For instance,
+image loading for intent:// URLs and making requests via XMLHttpRequest or Fetch
+API just fail. JavaScript APIs will fail with an error (ex. error callback,
+rejected promise, etc).
+
+### content:// URLs
+content:// URLs are used to access resources provided via
+[Android Content Providers](https://developer.android.com/guide/topics/providers/content-providers).
+The access should be permitted via
+[setAllowContentAccess](https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean))
+API beforehand.
+content:// pages can contain iframes that load content:// pages, but the parent
+frame can not access into the iframe contents. Also only content:// pages can
+specify content:// URLs for sub-resources.
+Pages loaded with any scheme other than content:// can't load content:// page in
+iframes and they can not specify content:// URLs for sub-resources.
+
+### file:///android\_{asset,res}/ URLs
+TODO
+
+## WebView APIs
+
+### setAllowFileAccessFromFileURLs
+TODO
+
+### setAllowUniversalAccessFromFileURLs
+TODO
+
+### shouldInterceptRequest
+TODO