[JJI] Removes implicit rules for allowedOriginRules

According to ProxyBypassRules's doc, it will allow origins such as 127.0.0.1, [::1] etc by default. We should call AddRulesToSubtractImplicit() before adding any other rules to avoid implicitly allowing these origins. Bug: 1024614 Test: added a new test for it, it will fail without this fix. Change-Id: I32e56483bf37798ebf6cd49b244d20fa34d38157 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914905Reviewed-by: Changwan Ryu <changwan@chromium.org> Commit-Queue: Shimi Zhang <ctzsm@chromium.org> Cr-Commit-Position: refs/heads/master@{#715136}

[JJI] Removes implicit rules for allowedOriginRules
According to ProxyBypassRules's doc, it will allow origins such as 127.0.0.1, [::1] etc by default. We should call AddRulesToSubtractImplicit() before adding any other rules to avoid implicitly allowing these origins. Bug: 1024614 Test: added a new test for it, it will fail without this fix. Change-Id: I32e56483bf37798ebf6cd49b244d20fa34d38157 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1914905Reviewed-by: Changwan Ryu <changwan@chromium.org> Commit-Queue: Shimi Zhang <ctzsm@chromium.org> Cr-Commit-Position: refs/heads/master@{#715136}
fd0eac11 · Shimi Zhang · Commit Bot · c4263d86 · fd0eac11 · fd0eac11
Commit fd0eac11 authored Nov 14, 2019 by Shimi Zhang Committed by Commit Bot Nov 14, 2019
2 changed files
--- a/android_webview/browser/js_java_interaction/js_java_configurator_host.cc
+++ b/android_webview/browser/js_java_interaction/js_java_configurator_host.cc
@@ -64,6 +64,10 @@ JsJavaConfiguratorHost::AddWebMessageListener(
                                      &native_allowed_origin_rule_strings);
  net::ProxyBypassRules native_allowed_origin_rules;
+  // We don't want to inject js object to origins that matches implicit rules
+  // automatically. Later rules override earilier rules, so we add subtracing
+  // rules first.
+  native_allowed_origin_rules.AddRulesToSubtractImplicit();
  for (auto& rule : native_allowed_origin_rule_strings) {
    if (!native_allowed_origin_rules.AddRuleFromString(rule)) {
      return base::android::ConvertUTF8ToJavaString(

--- a/android_webview/javatests/src/org/chromium/android_webview/test/JsJavaInteractionTest.java
+++ b/android_webview/javatests/src/org/chromium/android_webview/test/JsJavaInteractionTest.java
@@ -620,6 +620,22 @@ public class JsJavaInteractionTest {
                isJsObjectInjectedWhenLoadingUrl("https://www.noinjection.com", JS_OBJECT_NAME_2));
    }
+    @Test
+    @MediumTest
+    @Feature({"AndroidWebView", "JsJavaInteraction"})
+    public void testAddWebMessageListener_dontInjectWhenMatchesImplicitRules() throws Throwable {
+        // allowedOriginRules is an empty String array, shouldn't inject the object to any frame.
+        addWebMessageListenerOnUiThread(mAwContents, JS_OBJECT_NAME, new String[0], mListener);
+        // following are some origins allowed by implicit rules.
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("http://127.0.0.1", JS_OBJECT_NAME));
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("https://127.0.0.1", JS_OBJECT_NAME));
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("http://localhost", JS_OBJECT_NAME));
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("http://169.254.0.1", JS_OBJECT_NAME));
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("http://localhost6", JS_OBJECT_NAME));
+        Assert.assertFalse(isJsObjectInjectedWhenLoadingUrl("http://[::1]", JS_OBJECT_NAME));
+    }
    @Test
    @MediumTest
    @Feature({"AndroidWebView", "JsJavaInteraction"})