tree: 1d6fa8336e9a60fe00518fd24233ee2d5f3ae5b8 [path history] [tgz]
  1. OWNERS
  2. README.md
  3. aw_safe_browsing_blocking_page.cc
  4. aw_safe_browsing_blocking_page.h
  5. aw_safe_browsing_ui_manager.cc
  6. aw_safe_browsing_ui_manager.h
  7. aw_safe_browsing_whitelist_manager.cc
  8. aw_safe_browsing_whitelist_manager.h
  9. aw_safe_browsing_whitelist_manager_unittest.cc
  10. aw_url_checker_delegate_impl.cc
  11. aw_url_checker_delegate_impl.h
  12. docs/
android_webview/browser/safe_browsing/README.md

Android WebView Safe Browsing

Android WebView has supported core Safe Browsing features since 2017.

Googlers may wish to consult internal documentation.

What is Safe Browsing?

See the relevant Chromium classes in //components/safe_browsing/.

For info on the feature, see https://safebrowsing.google.com/.

Opt-in/consent/requirements

Google Play Services

If Google Play Services (AKA GMSCore) is uninstalled, disabled, or out-of-date, WebView cannot perform Safe Browsing checks (with the exception of hard-coded URLs). Before trying Safe Browsing locally, make sure this is up-to-date:

$ adb shell am start -a "android.intent.action.VIEW" -d "market://details?id=com.google.android.gms"
# Then, manually update GMS in the UI.

If Google Play Services is installed, the user must opt into Google Play Protect's “Verify Apps” setting: Settings > Google > Security > Google Play Protect > Scan device for security threats.

Application opt-in

Safe Browsing is enabled by default, but applications can explicitly disable it with a manifest tag:

<manifest>
    <application>
        <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
                   android:value="false" />
        ...
    </application>
</manifest>

Hard-coded URLs

WebView supports Safe Browsing checks (for testing purposes) on hard-coded WebUI URLs defined in //components/safe_browsing/web_ui/constants.cc (ex. chrome://safe-browsing/match?type=malware).

These URLs don't show meaningful content, but will trigger an interstitial when trying to navigate to them. WebView relies on these URLs in our CTS tests, so they must never change (but more URLs may be added).

Differences in support and types of interstitials

See this page.

Testing Safe Browsing

Automated tests live here.

You can manually test Safe Browsing with the WebView Shell. Navigate to one of the hard-coded URLs mentioned above.

To test more complex scenarios and WebView's Safe Browsing APIs, please try out the open source WebView demo app.

Note: if testing Safe Browsing manually, make sure to update GMS and opt-into Google Play Protect.

Supporting new threat types

As Chrome supports more threat types, so can WebView. The steps are:

  1. Create quiet interstitial resources for the new threat type (example CL).
  2. Whitelist resources and strings ( general docs, example CL).
  3. Add the new threat type to our list of threats (example CL).
  4. Add a hard-coded URL (example CL).
  5. Write integration tests (example CL).
  6. Add a new threat type constant to the Android SDK (constants are defined in WebViewClient.java, please consult a WebView team member before this step). The new threat type constant should only be used when the application targets the new Android SDK: use SAFE_BROWSING_THREAT_UNKNOWN for apps with older targetSdkVersions (see http://crbug.com/887186#c15 and http://b/117470538).